07 May

Google’s Buildings Hackable

We reported this issue to the Google Vulnerability Rewards Program (VRP). After much heckling from my former colleagues at Google, they quickly pulled this system offline. We also applaud Google for creating a program like the VRP and giving us the chance to share our story with a wider audience. At the time of this blog post, this exact issue affects tens of thousands of devices on the Internet and thousands of different organizations. Thank you Google for helping us raise awareness on this issue! I asked that any proceeds from the VRP be donated to the Wounded Warrior Project, but apparently this issue doesn’t qualify for VRP rewards.

If you have a corporate campus or a modern building of any sort… you’re likely running similar systems someplace on your network. We’ve already discovered over twenty five thousand of these systems facing the Internet… one down, twenty four thousand, nine hundred, ninety nine to go 🙂

If Google can fall victim to an ICS attack, anyone can.

Hacking systems that control a building infrastructure.

16 Feb

ArsTechnica – High Orbits and Slowlorises: understanding the Anonymous attack tools

Most members of Anonymous would prefer to stay, well, anonymous. But as the group has engaged in increasingly high-profile attacks on government and corporate websites, doing so effectively and staying out of harm’s way have become an ever-growing challenge. To protect itself, the group has altered its tactics over the past year to both increase the firepower of its attacks and shield members from the prying eyes of law enforcement.

via ArsTechnica – High Orbits and Slowlorises: understanding the Anonymous attack tools. Fascinating look into both some of the tools Anonymous uses to launch it’s attacks and how it/they attempt to stay anonymous.

06 Dec

Ars Technica – Google Earth, other mobile apps leave door open for scripting attacks

In the rush to create mobile apps that work across the leading smartphones and tablets, many developers have leaned heavily on web development tools and use embedded browsers as part of their packaged applications. But security researchers have shown that relying on browser technology in mobile apps—and even some desktop apps—can result in hidden vulnerabilities in those applications that can give an attacker access to local data and device features through cross-site scripting.

via Ars Technica – Google Earth, other mobile apps leave door open for scripting attacks. Oops, just because it doesn’t look like a browser doesn’t mean it doesn’t suffer the same security holes.

05 Oct

NYTimes.com – Bank of America Explains Web Site Problems

After nearly a week of interruptions and slowdowns that made its Web site inaccessible at times, Bank of America said Wednesday the problems stemmed from a combination of heavy traffic along with the rollout of a new computer system.

With nearly 30 million online banking customers and the nation’s busiest bank Web site, the failures spurred consumer anger, with account holders in some cases unable to pay bills electronically or check their balances.

“Our priority is delivering the speed and functionality our customers expect,” said David Owen, senior vice president and head of online and mobile banking for Bank of America. “We take this very seriously, and this has been very disappointing in terms of not meeting those expectations this week.”

While the site seemed to be functioning normally by Wednesday evening, Mr. Owen was not declaring victory. “We’re taking this day by day,” he said.

The problems first cropped up on Friday, a day after the bank, the nation’s largest, announced it would impose a new $5 a month charge for some debit cardholders. But Mr. Owen insisted the problems were not caused by hackers unhappy with the new fee or by efforts to flood the site with traffic as a protest, a strategy called a denial-of-service attack.

via NYTimes.com – Bank of America Explains Web Site Problems. Bank of America, we weren’t hacked instead we are just incompetent.

26 Sep

PCMag – Google Patches Flash Zero Day Bug, Jumps the Gun on Adobe Again

Google has developed a bad habit with respect to patching vulnerabilities in the integrated version of Adobe Flash in their Chrome for Windows browser: They release and announce the updates before Adobe does. They have done it several times in the last year or so and today they did it again. "The Beta and Stable channels have been updated to 14.0.835.186 for Windows, Mac, Linux, and Chrome Frame."

This creates a situation in which Adobe has a zero day bug with increased severity. It’s likely that they aren’t ready to release their own patches, yet 3rd parties could look at the Chrome update and potentially examine it in order to determine what it is patching. From that they could construct an exploit.

via PCMag – Google Patches Flash Zero Day Bug, Jumps the Gun on Adobe Again. The bad habit isn’t Google patching security holes it’s Adobe not patching them first.

20 Jul

codahale.com – A Lesson In Timing Attacks (or, Don’t use MessageDigest.isEquals)

I’ll be blunt here: any Java application which compares client-provided data to a secret value using MessageDigest.isEqual is vulnerable to timing attacks. This includes HMACs, decryption results, etc.

via codahale.com – A Lesson In Timing Attacks (or, Don’t use MessageDigest.isEquals). Nice intro to timing attacks along the way.

23 Jun

Should I Change My Password?

ShouldIChangeMyPassword.com has been created to help the average person check if their password(s) may have been compromised and need to be changed.

This site uses a number of databases that have been released by hackers to the public. No passwords are stored in the ShouldIChangeMyPassword.com database.

via Should I Change My Password?. I’m safe at least at the moment, how about you?

08 May

Throwing Fire – LastPass Disclosure Shows Why We Can’t Have Nice Things

LastPass announced nothing more than that their recent statistics looked strange, and because of that they wanted to stay on the safe side just in case there was a breach—although that was unlikely—and the press responded exactly as it would if LastPass had been caught trying to cover up a definite leak.

(In the worst case scenario, a breach of LastPass’ data would reveal nothing more than master password hashes that are virtually uncrackable if the original password has just minimal complexity. Everything else, including information about individual websites and passwords, would be nothing more than an encrypted blob, the contents of which are inaccessible without the original password.)

You can argue if it’s wise to store your passwords online, but at least treat the few companies who act right right.

By acting the way they were supposed to, LastPass only hurt themselves — and that’s why we can’t have nice things.

via Throwing Fire – LastPass Disclosure Shows Why We Can’t Have Nice Things. Even the technology journalism sites can’t get things right on occasion.

12 Dec

Geek Juice – Journalists need to learn what a ‘hacker’ really is

The misconception that what these teenagers did is ‘hacking’ needs to be corrected. Journalists need to research what they’re talking about, especially if they are doing a cover story for one of the biggest newspapers in the country.

Today, I’m stepping up to the challenge. I shall once and for all make it clear what ‘hacking’ really is, while also helping you understand how a group of kids can take down a corporate website with little to no knowledge of even the basics of hacking.

via Geek Juice – Journalists need to learn what a ‘hacker’ really is. Journalism unfortunately by it’s nature leads people with limited training in any area other than writing to report on areas upon which they have no or limited knowledge thus leading them to say incorrect/stupid stuff.