Displaying items by tag: Hacking

So the big Sony Hack that everyone was talking about and that the US government blamed on Korea might not have been state sponsored after all. Despite the FBI’s initial (and way too fast) conclusion that the source of the attacks were from North Korea there was ample evidence that this was not the case from the start. Anyone familiar with the way an attack happens knows that the majority are going to be pushed through multiple proxies and will have some sort of obfuscation to hide who is doing what including using code that might have been used before.

Edward Snowden is the gift that keeps on giving. After walking out on the NSA with a ton of secret documents detailing the extent that the agency and their partners were digging into ordinary people’s lives he started to release them. Even after the first and very damaging release of documents Snowden promised that there was more and worse to come. We have seen some pretty bad things coming from the classified document stash including a report that was recently published by Der Speigel.

The concept of the fingerprint ID has been around for a long time and, for the most part, has been seen as a rather secure method of locking your things away. At least that is the way it is seen by the public. For most of the security crowd finger print ID as a security system have one major flaw in them, they are all little more than optical scanners. If you can fool the scanner, which does not do much more than compare one image to another, then you are in.

If we have said it once, we have said it a thousand times, there is no such thing as a secure network or system. This is especially true when the network is, by design, intended to deal with external user or customer connections. We are, of course, talking about the Sony (Pictures) breach and the subsequent treasure trove of emails and documents that have been flowing from that event since. Sony is in a very bad way since the hack as they have (stupidly) kept some rather sensitive information on their servers that is no open for the public to see.

Hey remember the group that launched the DDoS attack on Steam? Well they are back and have decided to make a little bit bigger of a statement than just throwing packets at a group of servers. This time they appear to have managed to grab a large number of user information from companies like Blizzard, Ubisoft and many others. They have taken this information and (unsurprisingly) dumped it to paste bin. If you do not know who we are talking about it is the DerpTrolling “hacker” group and they have been on a mission to shame just about every game publishing/distribution company on the planet.

The world lives in fear of zero-day exploits although the average person does not even know it. A zero-day exploit is a bug or a flaw that has not been discovered by the developers yet, but is known to someone outside. This can be good guys, bad guys or other, but it is still a flaw that can be used to do harm to a computer system and no one has a patch for it yet. When the good guys (security researchers) know about them they work with companies to patch them. When the bad guys know about these things get very ugly indeed. But what happens if someone knows about one (or a bunch of them) and does not tell anyone at all?

Just when you thought it was safe to get back on the internet privately. Although we have maintained that TOR has never been the end-all of anonymity we are surprised to finally see public conformation of techniques that have been around for years. In a report that discusses the use of flow records for detecting users on proxy networks we find that the tools to track you through TOR and many other networks have been right there all along.

Encryption is an interesting thing. On the surface it offers protection from prying eyes and sense of security in protecting your communication and files. At least that is what you should feel when talking about encryption. The problem is that encryption is only as secure as the protocol and API that is in use. Even if you have a rock solid certificate the protocol and APIs that you use to connect can be compromised to by-pass this. This is what has happened to almost every major SSL/TLS stack. So far in 2014 we have watched them fall one at a time to the dismay of security experts.

The targeting of travelers is something that is a very old idea. To the would-be attacker you are getting a target that is not familiar with their surroundings and (in many cases) has a lot of money on them. In the “old days” the target was the cash they brought with them. This quickly changed to a number of scams to get access to their credit card numbers and the cash that they protected. Still the idea was to go after the traveler because they were easy targets when they were out and about.

It would seem that even the next generation of “secure” payment systems are showing up with flaws before they really hit the streets. According to security researchers there is a flaw in the next generation of electronic payments dubbed chip-n-PIN. This new technology has been hailed as the more secure means of using your cash without all the worry of swipe fraud or other hassles of using the more traditional magnetic cards. However, as with far too man y technologies these days, someone missed a rather big loophole for the bad guys to exploit