Slashdot Mirror
Hacks To Be Truly Paranoid About
snydeq writes: Nothing is safe, thanks to the select few hacks that push the limits of what we thought possible, InfoWorld's Roger Grimes writes in this roundup of hacks that could make even the most sane among us a little bit paranoid. "These extreme hacks rise above the unending morass of everyday, humdrum hacks because of what they target or because they employ previously unknown, unused, or advanced methods. They push the limit of what we security pros previously thought possible, opening our eyes to new threats and systemic vulnerabilities, all while earning the begrudging respect of those who fight malicious hackers."
None of these are new.
But once you see them, you'll be paranoid!
I think the hack that deleted all the comments on this article was truly impressive.
The only really worrisome one to me is the ATM card skimmers, because if you go to an unknown ATM, it's hard to know if it has a skimmer on top or not. Furthermore, it has increased dramatically over the past few years, up 300% from last year.
I submitted an article on the topic, but it was rejected. Bottom line: be careful when using ATMs, especially at bars and in Florida. Recently New York and Philadelphia have been increasingly targeted.
"First they came for the slanderers and i said nothing."
This stuff has been out there for more than two years for most of it except maybe the badusb. Go write a real news story and come back when you have something good...
The only thing that scares me is that you can buy a harddrive that might have it's firmware modified so they always have a backdoor into your system.
Be seeing you...
I don't get why none of these hacks mentioned silicon. It's like this: The government almost FOR SURE has back doors in every computing device ever made. Why? Because nowadays it takes little more than a court order to do this sort of thing. Manipulate the right employee at a silicon fab and now you have back doors into everything. Why should this scare the public? How well is this back door secured? Could someone else activate it?
... I have heard of these before, but it's good to get a run-down.
Stuxnet is my fav. It reminds me of the "drunk walk" algorithm I entered into a TRS-80 using BASIC, back in 1978 and stuff.
As an IT person, reading the article was like looking up symptoms for an illness: I think I have every fatal disease and hackers are crawling all over my system.
It little behooves the best of us to comment on the rest of us.
Given the dozens and dozens of reported hacks against large orgs over the last 2 year, I can only conclude there is a large disregard for properly addressing security that starts right at the top of the C suite in big companies.
That is at least as troubling for smaller companies, who likely have less resources to deal with security.
....the sky is falling!
Crypto hacks were mentioned but not crypto viruses which encrypt the files and then hold the decryption key for ransom. I haven't had trouble with viruses for years but was recently hit by one called locker. I had about 5 months of photos not backed up and was lucky not to lose them. Recovery for me was messy and involved fetching offsite backups from my mother's house. The author for reasons known only to him (he claimed it was an accidental release) relaesed the keys for this one and tools were quickly written to decrypt the files without paying the ransom. Also the software itself was forced by the author to decrypt the files if you left it on the machine (no thanks!). If I hadn't had good backups I could have lost 15 years of photos including family events and holidays like kids birth and ultransounds.
The virus I was hit with was brilliantly concealed and used a timebomb but it's actual execution was hit and miss. It didn't encrypt files with capitals in the extensions and it didn't appear to be sophisticated enough to realise if it had already encrypted a file if it was accessible at two locations.
In any case with the keys released freeware was quickly written by a security expert to decrypt the files
http://www.spamfighter.com/News-19666-Locker-Ransomware-Author-Regrets-Action-Releases-Decryption-Keys.htm
http://www.bleepingcomputer.com/forums/t/577953/locker-developer-releases-private-key-database-and-3rd-party-decrypter-released/
In contrast the guy who wrote a different virus called PCLocker has been playing a cat and mouse game with security experts and hobbyists and after initial success by the security community the author has managed to lock them out of fetching keys and decrypting software for the victims. He uses an ingenious key order fulfillment mechanism to ensure only the keys exposed are those for victims that have paid the ransom. A fascinating read:
http://blog.emsisoft.com/2015/05/05/pclock-uses-malicious-plugin-to-turn-wordpress-blogs-into-command-and-control-servers/
Of course you can imagine things getting much worse. For example imagine encrypting a hard disk's entire allocation table. May not work on the OS drive but it would be quick and quiet on other drives - unless the software was caught before being able to run at all you'd be stuffed.
Java, one of the most bug-filled, hackable software products the world
Indeed criticism should be leveled at Java for trying to retain one of it's original design intents of being a web safe sandbox while at the same time trying to be a golden hammer in pretty much every other problem/solution domains, server backend, rich client, embedded device etc meaning the platform got so huge and unwieldly it was too difficult to keep it secure if nothing because of it's sheer weight. But to call it the most hackable software products is just stupid and ignorant. Does the author understand the basic concept of memory management exploits? Buffer overruns exploits are virtually non-existant in Java, caused only by rare defects in the JVM itself.
"Most automated teller machines (ATMs) contain a computer that runs a popular OS, so it should come as no shock that they can be hacked. For the most part, this means Microsoft Windows"
..
:) ref
Nothing to disagree with so far
"ATM OSes often include an implementation of Java, one of the most bug-filled, hackable software products the world has ever known"
Only when run on top of Microsoft Windows. Sun Microsoft Systems were under the delusion that they owned Java. Originally designed to be a write-once-run-anywhere technology. At least before Microsoft innovated a Java Language Council(excluding Sun), took control of Java (JFC) and licensed it back to Sun (AFC)
Years later Oracle acquired Suns interest in Java and sued Google for including Java API calls in Android. Curiously enough Microsoft is 'licensing' patented Android technology to the handset manufacturers and Oracle isn't going after Microsoft.
Hacks to be paranoid of?
The most infamous and interesting ATM hacker was Barnaby Jack, who passed away in 2013. He would delight crowds at security conferences by bringing one or two commonly used ATMs on stage and within a few minutes have them spitting out fake cash.
Maybe this is what hackers should be paranoid of, revealing a little too much.
Jack was found dead in a San Francisco apartment on 25 July 2013 by his girlfriend. He was aged 35.[12][13][14] At the time of his death, he was due to attend a Black Hat Briefings hacking conference in Las Vegas.[15][16] Black Hat general manager Trey Ford, said "Everyone would agree that the life and work of Barnaby Jack are legendary and irreplaceable", and announced his spot would not be replaced at the conference.[13] According to the coroner, Jack died of a cocktail of prescription drugs and cocaine.[17]
"If any question why we died, Tell them because our fathers lied."
Check this incident out. Naturally, Qubes could not protect him because his laptop did not have an IOMMU. But the real interesting thing to me is where/when this implant was actually put in his system (he says he bought it new, in person, and the symptoms appeared sometime after a period of normal behavior).
Or you could change the phone number for the authorization service to a VOIP number that you own. That call is answered by a PC/whatever that knows the message specs and is more that happy to reply with an approval message to dispense cash. The message specs are in a similar document for the ATM also available at the same web site.
The possibilities are endless.
While StuxNet always impresses, my favorite hack was when they managed to get an iPod to dump it's firmware with it's beeper, as that was the only thing they managed to get access to. Stuck it in a box, read it, gz compressed it and chirped it while recording it.
Walk within three feet of a malicious RFID reader, and you are hacked.
Umm, nope. Not my RFID card anyway, sometimes I have to have three tries with it, in physical contact with the reader, before it is successfully read.
No one's going to be hacking this card from a passing car or in a crowd.
is convincing people that both people in a couple need to work to support themselves even though we have so much energy and technology and productivity, yet we end up with less than our single-income parents, *AND WE DEFEND THIS*.
I'm waiting for the first voice recognition virus or voice bomb. Basically someone saying something clever in a video or song or other mass media that triggers millions of devices into making an expensive call or directing them to something with a 0-day payload.
How long until snow crash jumps from science fiction to science fact?
The only thing that scares me is Intel Active Management Technology. This thing enables one to remotely authenticate to a wired computer and do everything with it: turn it on or off, have stealthy access to its screen etc. etc. And it works even if the computer is turned off or does something else. I'd bet that the NSA has a master password for any Intel AMT system ever produced.
I thought this would be about interesting APT campaigns or crazy exploits.
u gotta be AFRAID nao!
... those that use identity as authorization. if someone knows your number then all they technically have is knowing who you are. if they use your number to incur a debt then the party that accepted it is the real perp.
now we need to go OSS in diesel cars
How many friggin' ways are there to hang shoes in your closet? You'd think that just piling your shoes on the floor has been holding us back all these years, and we're just beginning to get a handle on this shoe storage thing. Buy expensive plastic drawers, make things out of moldy cardboard, hang 'em and wrap 'em like flies in a spiderweb, on doors, above your bed. Make labels. How about an entire room full of wax people in various positions to wear our shoes for us? To select a pair just tip over the wax person and take their shoes off. Simple.
There is always some 'Target Number'. No one ever has a bright idea any more, they must save them up until there is a round or round-plus-one number. Only a brain dead doofus would click into '100 uses for a dead cat' when another article promises 101 uses.
Zero-Day Life Hacks are the worst. Mixed in with the rest, at a glance you can tell that they were made up on the spot to help the author achieve the target number, and are not worth the time spend reading them. And there is no way to unread them, no delivered punishment for this crime. The last time someone felt guilty about wasting another person's precious time was back in 1959.
Life hacks don't just present these tips, they go on about them. You can't just be told to slide a friggin' block of wood along the floor to help set molding at the proper height. There has to be a Using A Block Of Wood Smartly video, and there's always a FAQ with dumb questions like, when I slide it into a corner, what then? (start over in another room, maybe it will work there) and What if the wood falls over? (find another piece). Even the most ludicrous and contrived aspects of something generates lengthy discussion, as if we have carved out a Corner of the Universe devoted solely to wood block molding sliding. The comments slide off into oblivion and disappear like they do everywhere else, the Internet is now like a continuous roll of one-sided toilet paper.
The people surfing these 'Hacks' are really asking themselves, I have these opposeable thumbs connected to a brain. What are they for? Well one thing you could do is spend every spare moment of your life in a voyeuristic journey paging through Life Hacks. As the senses dull and the little voice in our head that says, "Now THAT's clever" becomes over-used, our desperate brains are spurting little endorphin rushes that represent the Eureka! moment, and for a split second we pretend to be filing away every Life Hack like some modern day Sherlock Holmes, to regurgitate it some day at the precise moment when it will attract that mate, save that marriage, save your life and impress everybody
The truth is that you are forgetting them as fast as you are absorbing them and your own brain is becoming that one-sided continuous roll of toilet paper. It's a scam and you are both scammer and scamee. When you go to bed tonight, try to remember all the valuable tips you've learned. Then in the morning. In the place of hands-on basic 'aboriginal skills' of problem solving with the use of fingernails, using levers, found objects and baling wire, things upon things --- we're just merely glancing at things
You know those night-time satellite photos that show cities, highways and towns as shimmering webs of light? Well in terms of average depth of human concentration... those lights are winking out. Celebrities who've had their asses reamed by hateful people on Twitter and delete their accounts (whoosh!) to go back to old-fashioned interviews and press conferences teach us an important lesson about modern culture and long term mental health... which I will not share. This is no 'Life Hack' tip here... figure it out yourself.
Life Hacks also eat up idle quiet time, in which the mind fits things together in silly ways that are uniquely your own. We must use the Internet -- to find the slow tides of thought, laughter and fable we wish to use to construct our worlds, and spend equal time out in the most desperate emotional wildernesses of our time, to tame them to our liking. Not passively surf 'Life Hacks'.
<blink>down the rabbit hole</blink>
Subject line says it all; I expected more than that article provided. Please.
Honestly, this has to be the stupidest /. article ever. And that's saying something. I don't know whether to keep laughing or cry.
These are simplistic and unimaginative. There are some big (and quite devastating) options that the author has not considered.
Now car manufacturers are following the lead of traditional software companies: They are hiring hackers to help improve the security of their car systems. Think about that the next time you’re at a dealership, tempted by the model with the best Wi-Fi.
What is this nonsense?! Smart IoT-clouding everything is the way of the future! I have to be able to dispense ice from my fridge with an app!
Hey, where's the apps guy when you need him? Her?
When did /. start using the Hollywood definition of hack, rather than the hackish one?