07 May

Google’s Buildings Hackable

We reported this issue to the Google Vulnerability Rewards Program (VRP). After much heckling from my former colleagues at Google, they quickly pulled this system offline. We also applaud Google for creating a program like the VRP and giving us the chance to share our story with a wider audience. At the time of this blog post, this exact issue affects tens of thousands of devices on the Internet and thousands of different organizations. Thank you Google for helping us raise awareness on this issue! I asked that any proceeds from the VRP be donated to the Wounded Warrior Project, but apparently this issue doesn’t qualify for VRP rewards.

If you have a corporate campus or a modern building of any sort… you’re likely running similar systems someplace on your network. We’ve already discovered over twenty five thousand of these systems facing the Internet… one down, twenty four thousand, nine hundred, ninety nine to go 🙂

If Google can fall victim to an ICS attack, anyone can.

Hacking systems that control a building infrastructure.

16 Feb

ArsTechnica – High Orbits and Slowlorises: understanding the Anonymous attack tools

Most members of Anonymous would prefer to stay, well, anonymous. But as the group has engaged in increasingly high-profile attacks on government and corporate websites, doing so effectively and staying out of harm’s way have become an ever-growing challenge. To protect itself, the group has altered its tactics over the past year to both increase the firepower of its attacks and shield members from the prying eyes of law enforcement.

via ArsTechnica – High Orbits and Slowlorises: understanding the Anonymous attack tools. Fascinating look into both some of the tools Anonymous uses to launch it’s attacks and how it/they attempt to stay anonymous.

15 Jan

wingolog – Javascript eval Considered Crazy

What can an engine do when it sees eval?

Not much. It can’t even prove that it is actually eval unless eval is not bound lexically, there is no with, there is no intervening non-strict call to any identifier eval (regardless of whether it is eval or not), and the global object’s eval property is bound to the blessed eval function, and is configured as DontDelete and ReadOnly (not the default in web browsers).

But the very fact that an engine sees a call to an identifier eval poisons optimization: because eval can introduce variables, the scope of free variables is no longer lexically apparent, in many cases.

I’ll say it again: crazy!!!

via wingolog – Javascript eval Considered Crazy. No matter how crazy and unsafe you consider eval this is just going to scare you a little more.

06 Dec

Ars Technica – Google Earth, other mobile apps leave door open for scripting attacks

In the rush to create mobile apps that work across the leading smartphones and tablets, many developers have leaned heavily on web development tools and use embedded browsers as part of their packaged applications. But security researchers have shown that relying on browser technology in mobile apps—and even some desktop apps—can result in hidden vulnerabilities in those applications that can give an attacker access to local data and device features through cross-site scripting.

via Ars Technica – Google Earth, other mobile apps leave door open for scripting attacks. Oops, just because it doesn’t look like a browser doesn’t mean it doesn’t suffer the same security holes.

14 Nov

Stanford researchers outsmart captcha codes

Stanford researchers say that captcha security codes, asking Internet sign-up users to repeat a string of letters to prove the users are human, can be thwarted, and they have successfully defeated captcha at big name sites such as Visa, CNN, and eBay as proof. In fact, they found that thirteen out of 15 high-profile sites were vulnerable to automated attacks.

via Stanford researchers outsmart captcha codes. The only two that came out unscathed, Google and ReCaptcha.

27 Oct

DARPA Shredder Challenge

Today’s troops often confiscate the remnants of destroyed documents in war zones, but reconstructing them is a daunting task. DARPA’s Shredder Challenge calls upon computer scientists, puzzle enthusiasts and anyone else who likes solving complex problems to compete for up to $50,000 by piecing together a series of shredded documents.

The goal is to identify and assess potential capabilities that could be used by our warfighters operating in war zones, but might also create vulnerabilities to sensitive information that is protected through our own shredding practices throughout the U.S. national security community.

Do you have the skills to reconstruct shredded documents and solve the puzzle?

Can you form a team to help solve the complex physical and analytical problems associated with document reconstruction?

If so, register today for a chance to win $50,000!

via DARPA Shredder Challenge. Neat challenge, it would be cool to work on this problem but image analysis is so far out of my area of expertise. It’s nice to know also that as it stands a good cross-cut shredder renders your documents virtually useless to either law enforcement or criminals.

05 Oct

NYTimes.com – Bank of America Explains Web Site Problems

After nearly a week of interruptions and slowdowns that made its Web site inaccessible at times, Bank of America said Wednesday the problems stemmed from a combination of heavy traffic along with the rollout of a new computer system.

With nearly 30 million online banking customers and the nation’s busiest bank Web site, the failures spurred consumer anger, with account holders in some cases unable to pay bills electronically or check their balances.

“Our priority is delivering the speed and functionality our customers expect,” said David Owen, senior vice president and head of online and mobile banking for Bank of America. “We take this very seriously, and this has been very disappointing in terms of not meeting those expectations this week.”

While the site seemed to be functioning normally by Wednesday evening, Mr. Owen was not declaring victory. “We’re taking this day by day,” he said.

The problems first cropped up on Friday, a day after the bank, the nation’s largest, announced it would impose a new $5 a month charge for some debit cardholders. But Mr. Owen insisted the problems were not caused by hackers unhappy with the new fee or by efforts to flood the site with traffic as a protest, a strategy called a denial-of-service attack.

via NYTimes.com – Bank of America Explains Web Site Problems. Bank of America, we weren’t hacked instead we are just incompetent.

02 Oct

Macworld – The App Culture

Apple getting serious about app security is a good thing. Unfortunately, many of the apps we Mac users have come to know and love over the years require a broad amount of access to the system for a lot of their key functions. Not as much as SuperDuper, say, but still quite a lot. What I’m hearing from some Mac developers is that they may actually have to remove features from their apps, or reduce their functionality, in order to fit them inside Apple’s new sandbox. (For more on this topic, read Andy Ihnatko’s take.)

Not only does this approach risk turning the Mac App Store into a wasteland of arcade games and one-trick-pony apps, it risks dumbing down the Mac app ecosystem as a whole. While developers can always opt out of the Mac App Store, they’re reluctant to do so. Not only are they afraid that Apple will one day make new Macs unable to run apps that don’t come from the App Store, but they realize that if their competitors are in the Mac App Store, they risk losing sales. It’s generally too expensive to develop two separate versions of an app, so the net result of tighter App Store restrictions could be that Mac apps everywhere—on and off the store—will actually become less powerful.

That’s the wrong direction for Apple to take the Mac. Here’s hoping Apple finds a way to keep our Macs secure, while allowing OS X apps to remain as powerful and innovative as they’ve been over the last decade. Mac users deserve both security and power—and the Mac App Store should be a showcase for the very best that Mac software developers have to offer.

via Macworld – The App Culture. This was the largest fear with Lion, and Apple has yet to respond in a way that alleviates people’s fears for such apps that need a higher level of access that it appears that Apple will allow.

27 Sep

Ars Technica – Three Senators condemn OnStar for tracking former customers

Three Senators have raised concerns about an announcement by GM’s OnStar’s subsidiary that it would continue collecting data from customers’ cars even after they cancelled their OnStar service. In a Wednesday letter to the company, Al Franken (D-MN) and Chris Coons (D-DE) warned that "OnStar’s actions appear to violate basic principles of privacy and fairness."

On Sunday, Sen. Chuck Schumer (D-NY) raised objections of his own. He released a letter he has written to the Federal Trade Commission seeking an investigation of OnStar’s privacy practices. Schumer described OnStar’s new policy as "one of the most brazen invasions of privacy in recent memory."

via Ars Technica – Three Senators condemn OnStar for tracking former customers. Glad I don’t own a vehicle with OnStar installed. It’s more than a little sleazy to collect and sell information from former customers.