News:

Urgh, this is what I hate about PD.com, it is the only site in existence where a perfectly good spam thread can be misused for high quality discussions.  I hate you all.

Main Menu

Security Thread

Started by Triple Zero, August 02, 2009, 01:13:29 PM

Previous topic - Next topic

Chief Uwachiquen

Quote from: rong on October 23, 2009, 11:39:31 AM
is anyone up to speed on the current capabilities of voice recognition softare?  just curious to how well that can/could be applied to all those recorded phone calls.

I don't know too much about it, but I did pick up a little bit from my roommates mom who works at a max security prison psychologist. At least I think it's max security. BUT ANYWAY. She was talking about how voice recognition software is still kind of archaic and a pain in the ass. Even the slightest bit of change in a person's voice fucks with the whole system. They can't even recognize someone if they have the slightest head cold and they have to call in somebody to authorize them. So, under ideal circumstances, voice recognition works okay but it's hardly fantastorasstic. At least, that's what I've gotten from what I've heard. Of course I could be wrong, but meh.

Cain

Quote from: Triple Zero on November 08, 2009, 10:01:08 AM
why they only use it for spam and not political purposes truly is beyond me, maybe they just don't care and it pays pretty well? or maybe they really are just clueless.

Apparently many hacker groups are apprehensive about working for governments or against other governments, not without reason, because while the government is not good at the technical side of things, it is very good at manipulating and using people until they cease being useful, and then making an example of them or using them as a bargaining chip.  If in the future, Georgia and Russia wanted to kiss and make up, for example, a few hackers might be sent to do some hard time in a Tblisi jail.  Or if a government wants to make really sure an attack can't be traced back to them by a criminal group thinking about selling them out, it might arrange some "fatal muggings".  At the very least, once they have proof of your illegal actions and your identity, they can then blackmail you into working for free, on the threat of imprisonment, not a pleasant prospect at all.

Triple Zero

Well, I didn't mean to work for the government, also because I don't think they really pay more than a proper spamming run.

And indeed then they know your name.

I was thinking of them carrying out their own politically motivated actions. I dunno, get in the way of some fucks you don't like, or help a bunch of others. All while staying out of the picture, of course.
Ex-Soviet Bloc Sexual Attack Swede of Tomorrow™
e-prime disclaimer: let it seem fairly unclear I understand the apparent subjectivity of the above statements. maybe.

INFORMATION SO POWERFUL, YOU ACTUALLY NEED LESS.

Triple Zero

updated the first post with a list of good security blogs, will update as I find more, also accepting suggestions of course.

lightbluetouchpaper is a new one I found today

Quote from: Triple Zero on August 02, 2009, 01:13:29 PM
Quote from: Cain on August 02, 2009, 02:08:08 PM
What are some good sites for security news?

Some Top (IMO) security blogs

http://www.schneier.com/blog/
http://www.wired.com/threatlevel/
http://www.lightbluetouchpaper.org/ (Security Research, Computer Laboratory, University of Cambridge--interesting projects)
http://asert.arbornetworks.com/


Tangentially security related (privacy, electronic freedom, etc)
http://www.freedom-to-tinker.com/
http://www.eff.org/deeplinks/archive
https://www.bof.nl/ (the Dutch EFF. if you can read Dutch, must-read, even if you don't live there. also a damn slick custom WordPress skin)

Misc
http://neworder.box.sk/
http://ha.ckers.org/ (used to be one of cutting edge in webappsec, but is rarely updated these days)
http://sla.ckers.org/forum/list.php?13 (the "News and Links" subforum of ha.ckers.org, dunno how good it is, but the community is reasonably active)

Ex-Soviet Bloc Sexual Attack Swede of Tomorrow™
e-prime disclaimer: let it seem fairly unclear I understand the apparent subjectivity of the above statements. maybe.

INFORMATION SO POWERFUL, YOU ACTUALLY NEED LESS.

Triple Zero

Entertaining and enlightening article about TSA Security Theater

http://www.theatlantic.com/doc/print/200811/airport-security

preaching to the choir, but it's an interesting article, check it out.
Ex-Soviet Bloc Sexual Attack Swede of Tomorrow™
e-prime disclaimer: let it seem fairly unclear I understand the apparent subjectivity of the above statements. maybe.

INFORMATION SO POWERFUL, YOU ACTUALLY NEED LESS.

Cain

http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=222200373

PDF hacking looks interesting

QuoteIn a blog posted earlier this week, Internet Storm Center researcher Bohan Zdrnja describes a new JavaScript exploit that hides in PDF files and exploits a known vulnerability.

The shellcode used for the exploit is remarkable in its small footprint and sophistication, Zdrnja reports. Just 38 bytes long, it works in two stages: The first stage seeks out targets and obfuscates the attack, then passes the baton to a second-stage shellcode that is capable of executing code on a victim's machine.

The exploit's construction makes it not only difficult for traditional antivirus tools to detect, but also masks the execution of the code so that the end user might not even know anything has happened, Zdrnja says.

"Not only was this a very interesting example of a malicious PDF document carrying a sophisticated 'warhead,' but it also showed the length attackers are willing to go to in order to make their malware as hard to detect as possible, not only for the AV vendors, but also for victims," the blog says. "If we are to judge the new year by sophistication the attackers started using, it does not look too good."

The new exploit feeds the fire of predictions that Adobe, not Microsoft, will be attackers' chief target in the new year. In its new threat predictions report, security firm McAfee projects there will be more attacks on Adobe in 2010 than on Windows.

Golden Applesauce

Quote from: Cain on January 09, 2010, 08:44:10 PM
http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=222200373

PDF hacking looks interesting

QuoteIn a blog posted earlier this week, Internet Storm Center researcher Bohan Zdrnja describes a new JavaScript exploit that hides in PDF files and exploits a known vulnerability.

The shellcode used for the exploit is remarkable in its small footprint and sophistication, Zdrnja reports. Just 38 bytes long, it works in two stages: The first stage seeks out targets and obfuscates the attack, then passes the baton to a second-stage shellcode that is capable of executing code on a victim's machine.

The exploit's construction makes it not only difficult for traditional antivirus tools to detect, but also masks the execution of the code so that the end user might not even know anything has happened, Zdrnja says.

"Not only was this a very interesting example of a malicious PDF document carrying a sophisticated 'warhead,' but it also showed the length attackers are willing to go to in order to make their malware as hard to detect as possible, not only for the AV vendors, but also for victims," the blog says. "If we are to judge the new year by sophistication the attackers started using, it does not look too good."

The new exploit feeds the fire of predictions that Adobe, not Microsoft, will be attackers' chief target in the new year. In its new threat predictions report, security firm McAfee projects there will be more attacks on Adobe in 2010 than on Windows.

Looks like I'll be replacing Adobe with GScript on my Windows laptop...
Q: How regularly do you hire 8th graders?
A: We have hired a number of FORMER 8th graders.

Triple Zero

trying to find out what the exploit actually does, will post comment when I do (tomrrow rpobably)
Ex-Soviet Bloc Sexual Attack Swede of Tomorrow™
e-prime disclaimer: let it seem fairly unclear I understand the apparent subjectivity of the above statements. maybe.

INFORMATION SO POWERFUL, YOU ACTUALLY NEED LESS.

Triple Zero

the blog post linked to in the article doesn't want to load, but here is google's cached version:

http://bit.ly/isc-sans-org-diary-html-storyid-7867

it's kind of techy, basically it's a buffer overflow type attack getting a malformed PDF to execute arbitrary machine code when it's loaded in Acrobat. solutions to defend yourself against this kind of thing are easy: 1) dont use acrobat 2) if you have to, disable javascript execution in acrobat 3) dont open PDFs from unknown sources.

number 1 is probably your best bet, cause number 2 is just the attack vector of this particular exploit, the next one might not exploit the JS engine but some other plugin, and 3 .. well .. where's the fun in that? :)

the remarkable thing about this particular exploit is not that it can be done, cause there are numerous bugs like this in adobe acrobloat. it's the way the hacker made this exploit's shellcode modular, or something, which is a nice touch.

another interesting finding is the mention that antivirus software does a pretty bad job at detecting it.

which is to be expected, cause they XOR the shellcode, which is a very simple form of obfuscation, real easy to uncipher (it's similar to "shift the alphabet 3 positions to the right" cipher) but of course this makes the simple pattern matching that AV software does, impossible.

[rant] and no, anti virus "heuristics" is nothing more than a marketing buzzword that does absolutely nothing. as I pointed out in an earlier post, the reality of antivirus "heuristics" has never been anything more than matching with wildcards, which frankly was something I'd have expected them to do without calling it "heuristics". the whole shit about "analyzing the code to see if it does anything malicious" is just theoretical pipe dreams and has never been implemented, and probably never will because it is nearly impossible to do [in fact actual true automated code analysis is theoretically impossible, but perhaps something approximating it would be incredibly hard to design, and then probably laughably easy to circumvent too]

back in the old days when viruses were swapped on floppies with copied games and such, AV software was useful.

these days it is not, they are just ad-infested CPU and memory hogs -- pretty much like most viruses.

rantrantrant sorry :)
Ex-Soviet Bloc Sexual Attack Swede of Tomorrow™
e-prime disclaimer: let it seem fairly unclear I understand the apparent subjectivity of the above statements. maybe.

INFORMATION SO POWERFUL, YOU ACTUALLY NEED LESS.

Triple Zero

apparently, IT [cyberwar!] IS ON, BITCHES.

:

info about that 0-day exploit Rat warned us about ("if you're running windoze" thread):

http://extraexploit.blogspot.com/2010/01/iexplorer-0day-cve-2010-0249.html

if that seems to technical for you, scan through a littlebit and scroll to the heading "News and old news about" which contains some very juicy bits about how this exploit was the one that China used to compromise Google!

then go here to read the details on that, and how there are many, many other corporations hit, compromised in the same manner without even knowing it:

http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100119

there are some more good links in those articles, but I haven't read them yet:

http://googleblog.blogspot.com/2010/01/new-approach-to-china.html
http://www.chinadaily.com.cn/world/2007-09/27/content_6139437.htm

Ex-Soviet Bloc Sexual Attack Swede of Tomorrow™
e-prime disclaimer: let it seem fairly unclear I understand the apparent subjectivity of the above statements. maybe.

INFORMATION SO POWERFUL, YOU ACTUALLY NEED LESS.

Triple Zero

Ex-Soviet Bloc Sexual Attack Swede of Tomorrow™
e-prime disclaimer: let it seem fairly unclear I understand the apparent subjectivity of the above statements. maybe.

INFORMATION SO POWERFUL, YOU ACTUALLY NEED LESS.

Cramulus

Quote from: Triple Zero on May 25, 2010, 06:18:46 PM
hahaha this is hilarious:

http://milesb.tumblr.com/post/622434207/say-what-you-will-about-ligatt-security-the (50 second security ad video)

wow, that sounds like an excellent racket!

It's like, "Invest in our insurance package... if you don't want your kneecaps broken..."
                           /
            :kojak:

Unkl Dad

CNBC's production Big Brother, Big Business 
http://video.google.com/videoplay?docid=6061213358499552766#


Goes a bit into what information is kept by which corporations, names a few large data brokers and information security companies and gives a few case studies in which identities or information was stolen.

I just brought it up because I found it ironic that the show made allusions to Big Brother getting a hold of the data held by private entities for political uses or free speech suppression yet appears to suggest the solution is more government regulation and monitoring, which seems to default the information to the people it sees as the possible problem.


Cain

http://www.bbc.co.uk/news/technology-10850875

QuoteOne visit to a booby-trapped website could direct attackers to a person's home, a security expert has shown.

The attack, thought up by hacker Samy Kamkar, exploits shortcomings in many routers to find out a key identification number.

It uses this number and widely available net tools to find out where a router is located.

Demonstrating the attack, Mr Kamkar located one router to within nine metres of its real world position.

'Creepy' attack

Many people go online via a router and typically only the computer directly connected to the device can interrogate it for ID information.

However, Mr Kamkar found a way to booby-trap a webpage via a browser so the request for the ID information looks like it is coming from the PC on which that page is being viewed.

He then coupled the ID information, known as a MAC address, with a geo-location feature of the Firefox web browser. This interrogates a Google database created when its cars were carrying out surveys for its Street View service.

This database links Mac addresses of routers with GPS co-ordinates to help locate them. During the demonstration, Mr Kamkar showed how straightforward it was to use the attack to identify someone's location to within a few metres.

"This is geo-location gone terrible," said Mr Kamkar during his presentation. "Privacy is dead, people. I'm sorry."

http://www.wired.com/threatlevel/2010/07/intercepting-cell-phone-calls/

QuoteA security researcher created a cell phone base station that tricks cell phones into routing their outbound calls through his device, allowing someone to intercept even encrypted calls in the clear.

The device tricks the phones into disabling encryption and records call details and content before they're routed on their proper way through voice-over-IP.

The low-cost, home-brewed device, developed by researcher Chris Paget, mimics more expensive devices already used by intelligence and law enforcement agencies – called IMSI catchers – that can capture phone ID data and content. The devices essentially spoof a legitimate GSM tower and entice cell phones to send them data by emitting a signal that's stronger than legitimate towers in the area.

"If you have the ability to deliver a reasonably strong signal, then those around are owned," Paget said.

Paget's system costs only about $1,500, as opposed to several hundreds of thousands for professional products. Most of the price is for the laptop he used to operate the system.

Doing this kind of interception "used to be a million dollars, now you can do it with a thousand times less cost," Paget said during a press conference after his attack. "If it's $1,500, it's just beyond the range that people can start buying them for themselves and listening in on their neighbors."

Paget's device captures only 2G GSM calls, making AT&T and T-Mobile calls, which use GSM, vulnerable to interception. Paget's aim was to highlight vulnerabilities in the GSM standard that allows a rogue station to capture calls. GSM is a second-generation technology that is not as secure as 3G technology.

Encrypted calls are not protected from interception because the rogue tower can simply turn it off. Although the GSM specifications say that a phone should pop up a warning when it connects to a station that does not have encryption, SIM cards disable that setting so that alerts are not displayed.

"Even though the GSM spec requires it, this is a deliberate choice on the cell phone makers," Paget said.

The system captures only outbound calls. Inbound calls would go directly to voicemail during the period that someone's phone is connected to Paget's tower.

The device could be used by corporate spies, criminals, or private investigators to intercept private calls of targets.

"Any information that goes across a cell phone you can now intercept," he said, except data. Professional grade IMSI catchers do capture data transfers, but Paget's system doesn't currently do this.

http://www.wired.co.uk/news/archive/2010-08/02/high-security-locks-cracked

QuoteThe lock that would seem to have thwarted them the most was actually one of the easiest to crack. The Biolock Model 333 is a sleek £126 ($200) lock that combines a mechanical cylinder and fingerprint reader.

The Biolock fingerprint reader illuminates a blue LED when a fingerprint is authenticated. If the reader fails, a key can be inserted in a key port hidden behind a flip door in the handle.

"It's a very neatly designed container," says Tobias. "But the problem with this lock design is so elementary, frankly it defies belief."

The lock can be programmed with one or more "master" fingerprints, which can be used to authorise other users. To open the lock, a user touches the fingerprint pad, and a blue LED light illuminates to indicate the person is authorised, allowing the door handle to turn. The lock can also be unlocked with a remote-control.

If the fingerprint reader fails, a mechanical key can be used instead. The key entry is concealed beneath a flip door on the lever handle. And therein lies the security problem, Tobias says.

A paperclip inserted in the Biolock's key chamber (hidden behind a flip door) is used to push an internal pin and unlock the door, making the fingerprint reader superfluous.

The mechanical lock, which uses a bypass cylinder, can be easily thwarted with a paperclip inserted in the keyway to depress a pin that engages the latch. In two seconds, the researchers were able to open the lock.

"This is an absolute perfect example of insecurity engineering," Tobias says.

LMNO

YOU SHALL NOT--oh, yes, right this way...
   \