Your tires sold you out, man!
Traffic cameras aren't required to track your driving. Researchers from Rutgers and USC have determined that low-pressure sensors in car tires can be passively read, tracking a vehicle's route.
Position-based quantum cryptography theoretically proved
Our results open a fascinating new direction for position-based security in cryptography where security of protocols is solely based on the laws of physics and proofs of security do not require any pre-existing infrastructure.
Oh no, not again.
Computer security experts have recently discovered vulnerability/design flaw with Microsoft Windows that has been part of their operating system that effects all versions of Windows since Windows 2000, including XP, Vista, and Windows 7. (1, 2, 3, 4) "The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed. This vulnerability can be exploited locally through a malicious USB drive, or remotely via network shares and WebDAV. An exploit can also be included in specific document types that support embedded shortcuts." -- Microsoft Microsoft is working on a permanent fix for it but there has been no firm timeline for its release. In the meantime, they're recommending several temporary workarounds, one of which involves turning off icons for shortcuts. On the other hand ... "While attacks using this do seem to be sophisticated, they are at present very limited in nature. Looks like someone crafted this attack for a specific job. The good news from that is that this vulnerability isn?t in wide circulation. So while it could be loaded onto a USB flash drive or CD, or even leveraged remotely via network shares and WebDAV, the chances of you being affected by this vulnerability is as close to zero as to be zero. On top of that, by now most of the top antivirus providers will have updated their signature files in order to be able to detect and defend against this nasty. ... So, should you be worried? No." Adrian Kingsley-Hughes, ZDNet. If that doesn't put your mind at ease, there's always this.
*sigh* Sometimes I hate computers...
"Millions" Of Home Routers Vulnerable to a Web Hack At the upcoming Black Hat Conference, to be held on July 29th in Las Vegas this year, a security researcher and ethical hacker named Craig Heffner will reveal a software tool to exploit a large-scale vulnerability in most home routers that will give users outside of the network access to the device. The attack is a type of DNS Rebinding, and would allow a hacker to monitor and control internet traffic that goes through a compromised router. This is an issue, as many home users rarely interact with a router to change its default password or update its firmware. Could this be an increasingly large issue at the consumer level as more external devices move online?
"Collectively, we lose more than 10,300 hours per year retrieving lost passwords."
LastPass is the last password manager you'll ever need. Available on almost all common platforms, its easy to use, and free. When it detects that you're keying in a new password for a website, it will offer to generate a very secure password for you. And then it will remember it for you, storing it securely, online, so you don't have to worry about synchronizing different devices with your newest logins. And it automatically fills in saved log-ins and forms with the click of a button.
Clearance is denied
In accordance with Executive Order 10865 of 1960 & DoD Directive 5220.6 of 1992 (original PDF), the Department of Defense has published the reasons for granting or turning down applications for Clearance by 444 Defense contractor personnel in 2010 (so far).
"Be afraid. Be very afraid."
Starting today, Starbucks is offering free wifi in all of their US and Canadian stores. This has computer security folks a little edgy, since it could allow hackers and computer miscreants new opportunities to steal the data of unsuspecting computer users, and prompted Steve Gibson, computer security guru, to advise people to "just be afraid. Be very afraid." This applies to people who use laptops, wifi enabled cellphones and pdas. But there are ways to protect yourself. The biggest threat comes from packet sniffers. This is a program that hackers can use to analyze all of the traffic on the Starbucks store's (or any open wifi) network. They just sit and wait for people to connect up to email, amazon, or financial institutions and hope they send their passwords over a non-encrypted connection. They can also set up something called a "man in the middle" attack, where they sit and wait for you to try to connect to a server, and they intercept the communication, recording everything, and then passing it onto the legitimate destination without you being the wiser. One of the more popular activities you'll probably want to do on the open wifi is checking your email. By default, the iPhone uses a secure connection to hook you up with a normal email server (POP, IMAP, and SMTP). On your PC or Mac notebook, you will probably need to specifically tell it to connect using a secure connection. And regardless of the device you use, if you use an online service for your mail, chances are, your password may be sent in a secure manner, but once you're past that, the messages you read will be sent in the open from services like Yahoo, AOL, .MAC, or Gmail (though you can force gmail to work securely by connecting to https://gmail.com as opposed to http://gmail.com. There's also a setting in your preferences that force it to work securely.) One other option is to use a service called HushMail (previously), and have all your email sources forward to your hushmail account, which is always encrypted. One way you can keep everything you do secure is to set up a virtual private network (or 'vpn') tunnel between you and a secure computer elsewhere on the net (like your home or office). That way, all of your communication is encrypted, no matter what the status of your connection to your website. Open VPN is a good example of the software you could use, and it's free and open source, but it can be tricky to set up. There are other programs you could use that are easier to install, but they usually cost money (examples: gotomypc which requires you to set up a remote pc with a program to monitor and receive your connection; hidemyass and securetunnel which let you use one of their computers which they set up and control (called a proxy)). Short of that, there are Firefox add-ons that can help protect you. SSLPasswdWarning provides a warning if you click on a password input field that will transmit insecurely over a non-HTTPS connection. Facebook Secure forces Facebook to use a secure connection. And while you're thinking about computer security, you should probably make sure your browser plug ins are all up to date. Mozilla has a web page that will check all of your plugins, regardless of the browser you're using.
'Some of these guys are just perverts.'
'They blow each other up by mistake. They bungle even simple schemes. They get intimate with cows and donkeys. Our terrorist enemies trade on the perception that they?re well trained and religiously devout, but in fact, many are fools and perverts who are far less organized and sophisticated than we imagine. Can being more realistic about who our foes actually are help us stop the truly dangerous ones?' The Case for Calling Them Nitwits.
Andrew "bunnie" Huang: taking it apart and making it better, then telling others how it's done
Andrew Shane Huang is a 35 year old hardware hacker, known to some as bunnie, and others as that guy who hacked the Xbox and went on to write a book about it. Finding the hidden key to the Xbox was an enjoyable distraction while he worked on getting his PhD in Electrical Engineering from MIT as part of Project Aries. Since then, he has written for (and been written about) in Make Magazine, has giving talks on the strategy of hardware openness and manufacturing practices in China, as experienced with the development of the opensource ambient "internet-based TV" called Chumby. When he's not busy on such excursions, bunnie writes about hacking (and more specifically, Chumby hacking), technology in China, and even biology in exquisite detail on the bunnie studios blog (previously). More bunnie goodness: * While at MIT, Andrew was part of the first Project ORCA team at the first annual International Autonomous Underwater Vehicle Competition, where they won first place, in part because the other tree teams didn't complete the course. The competition was sponsored by the Office of Naval Research (ONR) and the Association for Unmanned Vehicle Systems International (AUVSI) * More on Hacking the Xbox (An Introduction to Reverse Engineering), which is partially available online through Google Books * bunnie's write-up on the Shanzhai tech trend was tucked into a previous post, but is worth more attention. * Overview of the Mobile Phone Mega-Market in Shenzhen and discussion of mobile phone schematics that are available in Chinese markets * A visit to the electronics markets of Shenzhen, organized by Andrew Huang, and hacking the Chumby in a hotel room with parts picked up from the Shenzen markets * Make your own 3G router with a Chumby One and certain 3G USB modems * the Chumby was mentioned in a larger Zoltar the Fortune Teller post. * Review of the Sony Dash, powered by Chumby * An interview with Andrew Huang, discussing hardware hacking, the downfall of Radio Shack, DMCA, (defunct) internet appliances like the 3Com Audrey, living and working with Chinese manufacturers, and more
How to become the world's No. 1 hacker/plagiarist
Cyber security consultant & self-styled ?innovator, leader & visionary? Greg Evans has just written & self-published a book titled How To Become The Worlds No. 1 Hacker. Or did he? His company, LIGATT Security International, counts Philips Arena, the NBA Atlanta Hawks and the NHL Atlanta Thrashers among its clients. Or does it?
"If you had unprecedented access to classified networks 14 hours a day 7 days a week for 8+ months, what would you do?"
Wired reports a US Intelligence Analyst has been arrested in connection with the "Collateral Murder" video released by Wikileaks. According to the article, SPC Bradley Manning was turned in by former hacker Adrian Lamo based on concerns about Manning's threat to leak an additional 260,000 classified embassy cables.
My Name is Todd Davis. This is my social security number...
Anti-Identity-Theft Firm Lifelock was fined $12 Million in March for deceptive business practices by the FTC. More bad news: their CEO had his identity stolen 13 times after posting his own social security number in company ads as proof they could protect him. Company/co-founder profile and exposé from the Phoenix News Times: What Happened in Vegas....
Yarchive - Notes from the hinterland.
Yarchive is one man's collection of UseNET posts on the topics of Air Conditioning; Aircraft; Bicycles; Cars; Chemistry; Computers; Electrical, Electronic; Environment; Explosives, Pyrotechnics; Food; Houses; Guns; Jokes; Medicine; Metalworking; Military; Nuclear; Telephones; Physics; Risks; Security; Space mostly from a select group of authors. It has been updated several times since it first appeared here in 2001 and it never fails to sucker me in for hours every time I stumble upon it from a Google Search. My favourites includeSometimes SOP includes parking a truck on a missile silo.Carburetor Oil.Automotive engine pistons turned from wood.Ky Jellycuckooa.Linus Torvalds On Linus TorvaldsBare Metal Programming The formating is old school but then so is UseNET. The complete archives are available as a series of compressed files so no need to wget if you wish a local mirror.
Town & Country & Infinity
Chrysler's recent announcement of a three year technical collaboration with NASA continues the automaker's long involvement with the agency, including production of the historic Redstone, reliable Jupiter, and mighty Saturn launch vehicles, and the design of an unusual Space Shuttle called SERV. Of course this was before we spelled Chrysler "F-I-A-T".
Fun with secret questions and answers
"My new bank, Ally Bank, configures a security question and answer for customer service calls. In addition to your SSN, date of birth, and mother's maiden name they also ask you the question you specify and wait for the answer you've provided. A real live human operator always asks the question and waits for a real live answer. This measure has the potential to not just improve my account security but add entertainment value as well."
I'm not trying to scare you!
Scareware comprises several classes of scam software with malicious payloads, or of limited or no benefit, that are marketed to consumers by scaring them. One frequently seen version is rogue security software that deceives users into paying for the fake or simulated removal of malware. The N. Y. Times site inadvertently displayed a scareware message last September. Ransomware is computer malware which holds a computer system, or the data it contains, hostage against its user by demanding a ransom for its restoration. A recently seen version pretends to be the fake ICPP Foundation. The victim is informed that an "Antipiracy foundation scanner" has found illegal torrents and must pay $400 (via credit card), to avoid jail and huge fines. (Microsoft genuine advantage, which can display "periodic reminders" has been legally ruled non-spyware.) Macs are not immune to ransomware.
It was hot, the night we burned Chrome
Canadian researchers have uncovered a vast ?Shadow Network? of online espionage based in China that used seemingly harmless means such as e-mail and Twitter to extract highly sensitive data. Stolen documents recovered in a year-long investigation show the hackers have breached the servers of dozens of countries and organizations, taking everything from top-secret files on missile systems in India to confidential visa applications, including those of Canadians travelling abroad. The findings, which are part of a report that will be made public today in Toronto, will expose one of the biggest online spy rings ever cracked. Written by researchers at the University of Toronto?s Munk Centre for International Studies, the Ottawa-based security firm SecDev Group and the Shadowserver Foundation, the report is expected to be controversial. The report is available online: Shadows in the Cloud: There is an urgent need for a global convention on cyberspace that builds robust mechanisms of information sharing across borders and institutions, defines appropriate rules of the road for engagement in the cyber domain, puts the onus on states to not tolerate or encourage mischievous networks whose activities operate from within their jurisdictions, and protects and preserves this valuable global commons. Until such a normative and policy shift occurs, the shadows in the cloud may grow into a dark, threatening storm.
The password of 1,112 MeFiers is "123456"
How I'd hack your password is a good introduction to how easy it is to compromise a weak password. What's a weak password? Anything among the top 20 passwords revealed among the thirty million users of RockYou is a good start ("123456" is #1). Or you can look at the 500 worst passwords as drawn by Kate Bingaman-Burt based on a list by security expert Mark Burnett. An analysis of password cracking software tells you what to avoid when trying to generate a strong password, but you can follow these techniques, or give up all together.
Planet War
From the bloody civil wars in Africa to the rag-tag insurgencies in Southeast Asia, 33 conflicts are raging around the world today, and it?s often innocent civilians who suffer the most. Each photo and summary has deep back story links.
Anonymous Buzzkill
A worrisome set of posts from Princeton University's 'Freedom to Tinker" Blog: In many situations, it may be far easier to unmask apparently anonymous online speakers than they, I, or many others in the policy community have appreciated. Today, I'll tell a story that helps explain what I mean. Second post: what BoingBoing knows about John Doe. Third, and most concerning post: The traceability of an online anonymous comment. Related post: a well researched review of the privacy concerns around the roll-out of, and push-back against, Google Buzz.
Cracking the PS3
George Hotz started a blog chronicling his journey to a software-only PS3 crack. Despite tackling a platform that has held strong for three years, Hotz claimed to have gained read/write access to all system memory after five weeks. Although the PS3 actually ships with Linux support, these cracks circumvent the hypervisor that place strict restrictions on low-level hardware access. You may know Hotz as the geohot who released first hardware iPhone jailbreak, added a software-only jailbreak for all iPhones and iPod Touches, and won multiple awards (pdf) at ISEF 2007 for building a working holographic display system while a senior in high school.
What Israel can teach us about (airport) security
What Israel can teach us about (airport) security. At Ben Gurion Airport in Tel Aviv, it?s all about eye contact. Expert: ?[T]hey?re not looking for liquids, they?re not looking at your shoes. They?re not looking for everything they look for in North America. They just look at you... Even today with the heightened security in North America, they will check your items to death. But they will never look at you, at how you behave. They will never look into your eyes... and that?s how you figure out the bad guys from the good guys.? Oh, and get this: ?The goal at Ben Gurion is to move fliers from the parking lot to the airport lounge in 25 minutes tops.?
Bruce Schneier's work isn't peer reviewed. He has no peers.
Is aviation security mostly for show? An essay by Bruce Schneier.
Hello? Can you hear me now?
Karsten Nohl and a team of fellow researchers has cracked the 64-bit encryption used in 80% of the world's GSM phones. Nohl had previously cracked the encryption in the MIFARE smartcard system, demonstrating that the encryption on that device can be cracked in approximately no time whatsoever. These, of course, aren't the first gaping holes in cellphone security to come to light; indeed, lack of security seems to be part of the design spec. Perhaps all new cellphones should be just be distributed with a deck of cards.
Chowned
While many Linux users cite the system's security against malware, the appearance of malware disguised as a screensaver reminded everyone that no system is 100% safe. Ubuntu users were quick to identify the virus, identify the perpetrators, and create a fix, but this isn't the first time this has happened, and will in all likelihood not be the last. The criticism in the community is directed squarely at the user base: "In general the lesson to be learned is if you want a secure system, don't download any software outside the official package sources without at least looking at the source code first."