|
Ultrasaur Blog
Keeping track of exciting new threats to your digital records.
July 23rd, 2009 by Dave
If you ask a random person on the street if digital photos can be trusted, the answer is probably going to be a no — even though many prints live most of their lives digitally.
Adobe and others are working on software to heuristically tell if a photo has been altered. From a mathematical perspective, I find this software fascinating, but in a sense it’s self defeating:
- No matter how much the software costs, I suspect that phot forgers are also software pirates, so they’re going to have this software
- You can now iterate on your forged imaged until it passes the test
So essentially a tool for detecting forgeries is a perfect tool for creating forgeries.
Tags: digital media, fraud Posted in misc | No Comments »
July 17th, 2009 by Dave
When we demo, usually one of the first things I say is “You have digital records” because almost every organization is moving towards having more and more of their content in document management systems of some stripe.
But it’s always interesting to read about the tiny fraction that aren’t, like New York Police Department, which still spends a third of a million dollars every year on typewriters.
Most of the city’s arrest forms have been computerized, but property and evidence vouchers printed on carbon-paper forms still require the use of typewriters.
…officials are working on software that would eliminate the need for the typewriters.
Tags: funny, government, paper, police Posted in misc | No Comments »
July 13th, 2009 by Dave
Apparently this is old news in the security world, but in a world where critical passwords are still on post-it notes on the monitor, it’s still interesting. Hackers can read your keystrokes through the power grid, Currently it’s only been proven to a distance of about 15 meters which means they have to get access to an outlet in the same building, even if it can be floors away. And the researchers claim this is done with only $500 in equipment, so it stands to reason that specialized equipment could do better.
The Slashdot discussion points out that defenses against this technology were declassified over 20 years ago. (See TEMPEST.)
Most importantly, there’s a fun way to try this at home if you have a CRT monitor and a short wave radio (unfortunately I have neither), Tempest for Eliza is a program that will do essentially the reverse of this hack — vary what’s being shown on your monitor to do something specific with the leaking electromagnetic waves: playing a song in a short wave radio frequency.
Tags: hacking, privacy, techniques Posted in hackers | No Comments »
July 7th, 2009 by Dave
Using a Social Security Number as a password is fairly common in the US for reasons I can’t understand.
Of course this password is nowhere near random, different states get different prefixes and now:
With just two attempts, the researchers correctly guessed the first five digits of SSNs for 60 percent of deceased Americans born between 1989 and 2003.
Oddly, the solution is the old (and wrongheaded):
The new findings remind consumers that they should use caution when sharing data online
Which is a little strange considering that all that was involved in this attack is knowing the victim’s date of birth — the kind of information that has been published in old fashioned local newspapers for a lot longer than the internet has been around.
Tags: data, databases, stub Posted in misc | No Comments »
July 6th, 2009 by Dave
Why do we know that the chief of MI-6 (yes that MI-6) is friends with David Irving? Well, someone let out too much info on Facebook. Sooner or later, any information you give a third party can eventually leak out (that’s why we don’t collect any), it’s just too easy to make it sooner.
And a California teacher accidently put pornography on a DVD for her class. And yes:
The person in the video turned out to be Isabelle Jackson Elementary fifth grade teacher Crystal Defanti.
Tags: oops, stub Posted in file failure | No Comments »
June 27th, 2009 by Dave
We normally focus on the bigger stuff, but fake expense receipts are a reminder that insider fraud does happen.
Some random thoughts on expense receipts:
- I’ve taken taxis for work where the driver offers to increase the receipt $10 or so, if I’d pay in cash.
- They offer perverse incentives, the bus system in Seattle is often easier than a taxi, but I could get a receipt for the taxi making it free (vs $2 to take the bus).
- When I lived in China, outside most subway stops were vendors selling taxi receipts. The idea again being that the subway was cheaper (and often faster), but you could still get reimbursed for a (more expensive) fictional taxi trip.
- The real cost is repeated over and over in the comments, if you need to ask for too much verification, you’re “making all trips cost an extra half day’s productivity for each traveler”
Tags: fraud, old timey ways, records Posted in record falsification | No Comments »
June 19th, 2009 by Dave
We don’t regularly follow physical security, but I enjoyed the article (thanks Bruce Schneier). It’s interesting to note that “high security” locks mean that they can stand up for 10 minutes — and according to Marc Weber Tobias, none last more than a few seconds reliably.
But the parallel that I find most interesting is how, as I’m prepping our next demo (where I hack a SharePoint server), is how little original work I had to do. Smarter people than me had already done the legwork, just like regular crooks who use Tobias’ work to bump the lock on your bike. You don’t have to protect your doors & servers against what you can do, but what the sum of the smartest hackers can do.
Side note, I want to buy this laptop just to have the big guy’s computer 
Tags: attacks, crime, stub Posted in hackers | No Comments »
June 12th, 2009 by Stacey
I just got back from attending the Quantum Works Annual General Meeting in Toronto. Quantum Key Distribution (QKD) was a very hot topic and the focus of several presentations. QKD will likely be the first quantum computing technology to be applied in the real world.
There were presentations from Networks of Centers of Excellence and the Ontario Ministry of Research and Innovation, in which collaboration between research institutes and industry players was discussed.
Tags: cryptography, events, quantum computing Posted in events | No Comments »
June 11th, 2009 by Dave
Not entirely counter-intuitive, but there’s a new study out showing that different industires suffer data breaches in different proportions (but still suffer them).
The Health Care and Social Assistance sector reported a larger than average proportion of lost and stolen computing hardware, but reported an unusually low proportion of compromised hosts. Educational Services reported a disproportionally large number of compromised hosts, while insider conduct and lost and stolen hardware were well below the proportion common to the set as a whole. Public Administration’s proportion of compromised host reports was below average, but their proportion of processing errors was well above the norm. The Finance and Insurance sector experienced the smallest overall proportion of processing errors, but the highest proportion of insider misconduct. Other sectors showed no statistically significant difference from the average, either due to a true lack of variance, or due to an insignificant number of samples for the statistical tests being used.
Source: Interhack (Full study as a PDF)
Tags: attacks, fraud, hacking, statistics Posted in hackers | No Comments »
June 8th, 2009 by Stacey
Dave’s looking into improving our notifications by integrating our alerts with PagerDuty. With any luck it should pretty much work out of the box, and we’ll be peppering them with feature requests any day now.
Tags: features, partners Posted in development | No Comments »
|
|
