From Engadget:
We hate to break it to you, but that oh-so-reliable GPS system that you simply obey each day could eventually lead you down a dark, perilous path. No, we’re not referring to the blind faith drivers who throw caution common sense to the wind and drive directly into sandpiles and bodies of water, but a new discovery has found that the unencrypted data that’s beamed to drivers everyday via RDS-TMC navigation systems could be undermined with relative ease. Andrea Barisani, chief security engineer with Italian consultancy Inverse Path, has claimed that the wireless signals could not only be intercepted, but incorrect directions could actually be used to lead motorists into a trap, direct traveling competitors away from a sales presentation, or create a massive gridlock by instructing the weary working crowd to all take the same “detour” home. It was noted that some firms are already looking into more secure methods of delivering such critical information, and considering the lessons we’ve already learned about GPS-addicted drivers, the updates can’t come soon enough.
We ran a piece on Liquidmatrix almost a year ago about hackers stealing David Beckham’s BMW with a laptop and some ingenuity. Funny enough this was driven (pun intended) by an article on Engadget. The more we integrated wireless technology into products to add convenience we open a new attack surface. I just wonder how long it will be until someone hacks the Nike iPod sneakers.
Tags: Hackers, GPS Hacks, Nike, iPod
The folks at TechCrunch have purchased the site F-ckedCompany.com.
The basic details of the transaction are included in a press release that will go out around 9 pm PST tonight, and Pud has also mentioned this on his personal blog. We weren’t going to announce this for another week or so (even though I hinted at it on CrunchNotes), but too many people know about it already and news of it was starting to leak (see Wired and CNET as well). I don’t want to be in a position again where other sites are breaking our news, so we’re announcing officially this weekend.
I’m drinking from my F-ckedCompany.com coffee mug right now. Sadly, the logo has faded over the years. This story really has no security angle to it. I just love these two sites. Great news.
It’s not April 1st so I’m going to assume that this is a genuine announcement.
UPDATE: Well, the joke might be on me. Turns out that April 1st may also include March 31st. A new calendar it would seem. Not sure at this point if this is real or a joke. Either way, very funny. :-/
The upside being that we got picked up on Techmeme again. Now that is very cool!
Tags: TechCrunch, FuckedCompany.com, Merger
We here at Liquidmatrix love, and I mean LOVE our coffee. These guys however, take things to a new level.
Starbucks eat your heart out.
Tags: Coffee, Liquidmatrix, Geek
You know, I have been working in the security space now for 10+ years and I like to think that I have encountered quite a few security vendors. One of the amusing aspects of my job is the vendor spin that has been liberally applied with respects to NERC standards. Namely the Critical Infrastructure Protection (CIP) standards. It is amazing to hear vendors tell me how their product will help ensure NERC compliance and upon a follow up question or two they admit that they are unaware of what exactly the NERC CIP standards actually say.
These standards are an attempt by NERC (and soon enough FERC) to drag the the electricity industry kicking and screaming into a secure posture. There has been a general apathy in the industry with regards to security as a whole. SCADA systems are historically designed for reliability with little focus on security.
Security is a growing concern in SCADA circles. I guess one could say that it’s better late than never. Recently the folks at Digital Bond created waves when they submitted a security vulnerability to CVE. For SCADA providers this is a new phenomenon. They had been used to flying below the radar but, with SCADA systems attaching to the internet more often (with negative consequences) security is on the front burner now.
I stumbled across this release today. Toronto Hydro announced that they have selected a firm (which I have never heard of) to help them meet their obligations for NERC CIP.
N-Dimension is working with Toronto Hydro-Electric System’s various departments to conduct an operational risk assessment that includes a review of elements related to physical security (access to facilities), human factors (training, adherence to policies), and information technology factors (cyber security). The cyber security review will comprise eight elements: access control, vulnerability management, perimeter control, layered approach, encryption, monitoring, back-up and recovery, as well as audits and logs.
N-Dimension Solutions Inc. may be very qualified but, with the looming deadlines in 2008 for NERC compliance, I’m worried. Why? I’m worried that fly by night operations will spring up to cash in on the overworked SCADA folks that might not be aware of which firms are qualified. I hope that operations like Digital Bond and Plantdata can educate/help folks out in short order.
Tags: SCADA Security, SCADA, NERC, CIP
Brian Krebs has a nice posting about secure coding practices and certification.
SANS Research Director Alan Paller said the tests should help companies better evaluate consultants and candidates for programming jobs, allow programmers to identify gaps in their security knowledge, and give universities an incentive to include secure coding classes as a requirement for computer science, engineering, and programming degrees.
I can easily think of a few coders that I would like to see put to the test. I know they’ll crash and burn but, sometimes…
Tags: Secure Code, Coding, SANS Exams
I’m sitting in a meeting at my day job, listening to a prospective vendor lyrically describing their lush infosec management capabilities and my mid morning reverie was broken by the following phrases in rapid succession:
We use a labyrinth of firewalls. Four in series because you can sometimes see past the first few.
I asked what he meant when he said “see past the first few” — he answered something mumbling about traceroute.
We use a proprietary encryption algorithmn.
I’ve read enough Schneier to positively flip out at this one.
The data is protected by 4096-bit MD5 encryption.
Ok… I’m not even going to get into it with this guy.
SSL is not safe for our environment, one of our engineers broke SSL in 3 minutes.
OMFG – YOU BROKE THE INTERNET!!!!1!!! – WTFBBQ
Ahem, May I please attend the special press conference you’re going to call when you release this information? I want to see what happens when the guys with the mirrors on the inside of the glasses take you out with a NATO round to the cranium.
If you want SSL, we’ll change the encryption key once per day.
I’m sorry, did I mis-read the RFC where it describes per session keys?
It’s not that I’m nervous, but, well, I’m nervous. You may all return to your regularly scheduled programme.
Tags: Security Consultants, Infosec, Funny, Encryption, Bruce Schneier
Computer forensics in action from C|Net:
What: Pharmaceutical supplier sued former employee, claiming use of a secure file deletion utility violated federal hacking laws.
When: U.S. District Judge Richard Lazzara ruled on March 21.
Outcome: Temporary restraining order granted against ex-employee until court hearing on March 30.
What happened, according to court documents: Until recently, Scott Arledge was a senior vice president at PharMerica in Tampa, Fla., where he was responsible for more than 2,500 employees and oversaw much of the company’s day-to-day operations.
On March 9, 2007, Arledge resigned to take a job as a vice president with Omnicare, PharMerica’s primary competitor. Both companies are in the business of supplying equipment and supplies to long-term care facilities such as nursing homes and hospitals.
According to PharMerica’s version of events, its former employee permanently deleted more than 475 files from his work computer two days before his resignation. That’s based on a forensic examination of Arledge’s company-issued Windows laptop by E-Hounds, a Florida data recovery firm.
Read on…
Tags: Data Security, Data Leakage, Information Security, Forensics
A Swampscott, Mass., high school student was badly burned and temporarily blinded after a homemade bomb made with a mixture of alcohol and chlorine exploded.
Jaren Richard, 15, and some friends made the mixture using instructions they found on the Internet, WHDV-TV, Boston, reported Friday. When they placed a cap on the bottle it exploded, spraying the mixture on the teenager. His friends immediately washed the boy’s eyes out with a hose.
This kid is the epitome of a dumb ass. There was a piece that was just run on CNN about this incident and they liberally inserted YouTube. The inference that YouTube is the root of this problem. This is where I have to cry foul. Where was this kids parents? This is akin to the (older) blaming of heavy metal music for the ills of teenagers. The media is looking for monsters on the internet when the real culprit (in this case) is in the home. It seems apparent that this kid never received the “fire bad” talk from his folks.
I’m sorry that this kid was injured, I am. But, this is the perfect example of Darwinism at it’s finest.
Tags: YouTube, Chlorine, Teenager Hurt, Darwin, Dangerous Stunt
This article is over on the Viruslist.com. A good read:
The term ‘keylogger’ itself is neutral, and the word describes the program’s function. Most sources define a keylogger as a software program designed to secretly monitor and log all keystrokes. This definition is not altogether correct, since a keylogger doesn’t have to be software – it can also be a device. Keylogging devices are much rarer than keylogging software, but it is important to keep their existence in mind when thinking about information security.
Legitimate programs may have a keylogging function which can be used to call certain program functions using “hotkeys,” or to toggle between keyboard layouts (e.g. Keyboard Ninja). There is a lot of legitimate software which is designed to allow administrators to track what employees do throughout the day, or to allow users to track the activity of third parties on their computers. However, the ethical boundary between justified monitoring and espionage is a fine line. Legitimate software is often used deliberately to steal confidential user information such as passwords.
For the full article for the link.
Tags: Keylogger, Malware, Detection, Computer Security
Stories like this make me cringe.
From Boing Boing:
Axlrosen sez, “A wristwatch buried in the ice at the North Pole three years ago was found by a boy more than 1,800 miles away after it floated ashore on the Faeroe Islands.”
Niels Jakup Mortensen, 11, spotted a black box near his home on Suduroy, the Faeroes’ southernmost island, his mother Anna Jacobsen said. Inside, she said, was a watch that had been buried at the North Pole by Joergen Amundsen, a descendant of Norwegian polar explorer Roald Amundsen.
Jacobsen said the watch discovered by her son earlier this month was still working, and was accompanied by a letter from Joergen Amundsen. “It was so unbelievable,” she said. “It had been buried in the North Pole.”
UPDATE: Here is more info on this story (thanks Keith)
Tags: Global Warming, Global Security, North Pole
