07 May

Google’s Buildings Hackable

We reported this issue to the Google Vulnerability Rewards Program (VRP). After much heckling from my former colleagues at Google, they quickly pulled this system offline. We also applaud Google for creating a program like the VRP and giving us the chance to share our story with a wider audience. At the time of this blog post, this exact issue affects tens of thousands of devices on the Internet and thousands of different organizations. Thank you Google for helping us raise awareness on this issue! I asked that any proceeds from the VRP be donated to the Wounded Warrior Project, but apparently this issue doesn’t qualify for VRP rewards.

If you have a corporate campus or a modern building of any sort… you’re likely running similar systems someplace on your network. We’ve already discovered over twenty five thousand of these systems facing the Internet… one down, twenty four thousand, nine hundred, ninety nine to go 🙂

If Google can fall victim to an ICS attack, anyone can.

Hacking systems that control a building infrastructure.

16 Feb

ArsTechnica – High Orbits and Slowlorises: understanding the Anonymous attack tools

Most members of Anonymous would prefer to stay, well, anonymous. But as the group has engaged in increasingly high-profile attacks on government and corporate websites, doing so effectively and staying out of harm’s way have become an ever-growing challenge. To protect itself, the group has altered its tactics over the past year to both increase the firepower of its attacks and shield members from the prying eyes of law enforcement.

via ArsTechnica – High Orbits and Slowlorises: understanding the Anonymous attack tools. Fascinating look into both some of the tools Anonymous uses to launch it’s attacks and how it/they attempt to stay anonymous.

15 Feb

Incubaid Research – Rediscovering the RSync Algorithm

Don’t walk the folder and ‘rsync’ each file you encounter. A small calculation will show you how bad it really is.

Suppose you have 20000 files, each 1KB. Suppose 1 rsync costs you about 0.1s (reading the file, sending over the signature, building the stream of updates, applying them). This costs you about 2000s or more than half an hour.

System administrators know better:they would not hesitate: “tar the tree, sync the tars, and untar the synced tar”.

Suppose each of the actions takes 5s (overestimating) you’re still synced in 15s.

via Incubaid Research – Rediscovering the RSync Algorithm. The right way to synch two remote file systems.

16 Jan

O’Reilly Radar – The President’s challenge

All I can think is: we gave you the Internet. We gave you the Web. We gave you MP3 and MP4. We gave you e-commerce, micropayments, PayPal, Netflix, iTunes, Amazon, the iPad, the iPhone, the laptop, 3G, wifi–hell, you can even get online while you’re on an AIRPLANE. What the hell more do you want from us?

Take the truck, the boat, the helicopter, that we’ve sent you. Don’t wait for the time machine, because we’re never going to invent something that returns you to 1965 when copying was hard and you could treat the customer’s convenience with contempt.

via O’Reilly Radar – The President’s challenge. Cory Doctorow has a wonderful saying “Copying is never going to get harder than it is now.” The idea that we’ll be able to go back in time and make it harder for people to get digital information/media/anything is just wrong. Businesses (hello entertainment industry) seems to ignore that fact time and time again. Businesses can either accept that getting media via the internet is getting easier and easier and try to make it simpler for consumers to get it legally or they will fail.

16 Jan

ArsTechnica – Wikipedia to join reddit in SOPA blackout Wednesday

Seeking to “send Washington a BIG message,” Wikipedia founder Jimmy Wales has announced that the English version of Wikipedia will go dark on Wednesday to protest the Stop Online Piracy Act and Protect IP Act, anti-piracy bills now being considered by Congress.

“Student warning!” Wales tweeted on Monday. “Do your homework early. Wikipedia protesting bad law on Wednesday!”

He said the blackout, which is expected to last 24 hours, was a decision of the Wikipedia community.

via ArsTechnica – Wikipedia to join reddit in SOPA blackout Wednesday. I’ll also be posting a message to protest and inform people about PIPA and SOPA, though I imagine Wikipedia will have a much larger influence. Stop American Censorship is your one stop information portal to find out more about SOPA and PIPA and how these bills hurt the internet.

15 Jan

wingolog – Javascript eval Considered Crazy

What can an engine do when it sees eval?

Not much. It can’t even prove that it is actually eval unless eval is not bound lexically, there is no with, there is no intervening non-strict call to any identifier eval (regardless of whether it is eval or not), and the global object’s eval property is bound to the blessed eval function, and is configured as DontDelete and ReadOnly (not the default in web browsers).

But the very fact that an engine sees a call to an identifier eval poisons optimization: because eval can introduce variables, the scope of free variables is no longer lexically apparent, in many cases.

I’ll say it again: crazy!!!

via wingolog – Javascript eval Considered Crazy. No matter how crazy and unsafe you consider eval this is just going to scare you a little more.

06 Dec

Ars Technica – Google Earth, other mobile apps leave door open for scripting attacks

In the rush to create mobile apps that work across the leading smartphones and tablets, many developers have leaned heavily on web development tools and use embedded browsers as part of their packaged applications. But security researchers have shown that relying on browser technology in mobile apps—and even some desktop apps—can result in hidden vulnerabilities in those applications that can give an attacker access to local data and device features through cross-site scripting.

via Ars Technica – Google Earth, other mobile apps leave door open for scripting attacks. Oops, just because it doesn’t look like a browser doesn’t mean it doesn’t suffer the same security holes.

27 Oct

DARPA Shredder Challenge

Today’s troops often confiscate the remnants of destroyed documents in war zones, but reconstructing them is a daunting task. DARPA’s Shredder Challenge calls upon computer scientists, puzzle enthusiasts and anyone else who likes solving complex problems to compete for up to $50,000 by piecing together a series of shredded documents.

The goal is to identify and assess potential capabilities that could be used by our warfighters operating in war zones, but might also create vulnerabilities to sensitive information that is protected through our own shredding practices throughout the U.S. national security community.

Do you have the skills to reconstruct shredded documents and solve the puzzle?

Can you form a team to help solve the complex physical and analytical problems associated with document reconstruction?

If so, register today for a chance to win $50,000!

via DARPA Shredder Challenge. Neat challenge, it would be cool to work on this problem but image analysis is so far out of my area of expertise. It’s nice to know also that as it stands a good cross-cut shredder renders your documents virtually useless to either law enforcement or criminals.

05 Oct

NYTimes.com – Bank of America Explains Web Site Problems

After nearly a week of interruptions and slowdowns that made its Web site inaccessible at times, Bank of America said Wednesday the problems stemmed from a combination of heavy traffic along with the rollout of a new computer system.

With nearly 30 million online banking customers and the nation’s busiest bank Web site, the failures spurred consumer anger, with account holders in some cases unable to pay bills electronically or check their balances.

“Our priority is delivering the speed and functionality our customers expect,” said David Owen, senior vice president and head of online and mobile banking for Bank of America. “We take this very seriously, and this has been very disappointing in terms of not meeting those expectations this week.”

While the site seemed to be functioning normally by Wednesday evening, Mr. Owen was not declaring victory. “We’re taking this day by day,” he said.

The problems first cropped up on Friday, a day after the bank, the nation’s largest, announced it would impose a new $5 a month charge for some debit cardholders. But Mr. Owen insisted the problems were not caused by hackers unhappy with the new fee or by efforts to flood the site with traffic as a protest, a strategy called a denial-of-service attack.

via NYTimes.com – Bank of America Explains Web Site Problems. Bank of America, we weren’t hacked instead we are just incompetent.