|
Ultrasaur Blog
Keeping track of exciting new threats to your digital records.
Archive for the ‘hackers’ Category
Monday, July 13th, 2009
Apparently this is old news in the security world, but in a world where critical passwords are still on post-it notes on the monitor, it’s still interesting. Hackers can read your keystrokes through the power grid, Currently it’s only been proven to a distance of about 15 meters which means they have to get access to an outlet in the same building, even if it can be floors away. And the researchers claim this is done with only $500 in equipment, so it stands to reason that specialized equipment could do better.
The Slashdot discussion points out that defenses against this technology were declassified over 20 years ago. (See TEMPEST.)
Most importantly, there’s a fun way to try this at home if you have a CRT monitor and a short wave radio (unfortunately I have neither), Tempest for Eliza is a program that will do essentially the reverse of this hack — vary what’s being shown on your monitor to do something specific with the leaking electromagnetic waves: playing a song in a short wave radio frequency.
Tags: hacking, privacy, techniques
Posted in hackers | No Comments »
Friday, June 19th, 2009
We don’t regularly follow physical security, but I enjoyed the article (thanks Bruce Schneier). It’s interesting to note that “high security” locks mean that they can stand up for 10 minutes — and according to Marc Weber Tobias, none last more than a few seconds reliably.
But the parallel that I find most interesting is how, as I’m prepping our next demo (where I hack a SharePoint server), is how little original work I had to do. Smarter people than me had already done the legwork, just like regular crooks who use Tobias’ work to bump the lock on your bike. You don’t have to protect your doors & servers against what you can do, but what the sum of the smartest hackers can do.
Side note, I want to buy this laptop just to have the big guy’s computer 
Tags: attacks, crime, stub
Posted in hackers | No Comments »
Thursday, June 11th, 2009
Not entirely counter-intuitive, but there’s a new study out showing that different industires suffer data breaches in different proportions (but still suffer them).
The Health Care and Social Assistance sector reported a larger than average proportion of lost and stolen computing hardware, but reported an unusually low proportion of compromised hosts. Educational Services reported a disproportionally large number of compromised hosts, while insider conduct and lost and stolen hardware were well below the proportion common to the set as a whole. Public Administration’s proportion of compromised host reports was below average, but their proportion of processing errors was well above the norm. The Finance and Insurance sector experienced the smallest overall proportion of processing errors, but the highest proportion of insider misconduct. Other sectors showed no statistically significant difference from the average, either due to a true lack of variance, or due to an insignificant number of samples for the statistical tests being used.
Source: Interhack (Full study as a PDF)
Tags: attacks, fraud, hacking, statistics
Posted in hackers | No Comments »
Tuesday, May 12th, 2009
In a clarification of their position on armed conflict, the United States will “not rule out a kinetic response to a cyber attack.“. Meaning that the US may consider hacking (presumably by a foreign power) as an attack similar to a physical attack on a bridge or a dam.
At the other end of the spectrum, a court has upheld the “hacking” conviction of a man for for misusing his computer at work to upload pornography.
Rasch said the problem stems from an amendment that was made to the federal Computer Fraud and Abuse Act — the federal anti-hacking law — that states have added to their own statutes.
“The early statute only talked about unauthorized access — which is breaking into computer,” he said. “But then they amended it to say ‘or exceeding the scope of authorization to access a computer’.”
Tags: news
Posted in hackers | No Comments »
Friday, May 8th, 2009
According to Verizon the average insider-sponsored data breach nets the attacker 100,000 records. This is considerably more than attacks from other vectors (outsiders & partners), which makes sense if only from a bandwidth perspective.
Interesting though it is to read about, Spire Security makes the point that multiplying %of attacks by #of records stolen to calculate pseudo-risk (likelihood x impact) isn’t especially useful. (Unlike him, I’m more inclined to forgive the base rate fallacy problem since the solution shouldn’t be to change the structure of a business’ affairs.)
I think the major flaw in calculating risk is that there is so much variety in how you can calculate the impact. If stealing 100,000 records means taking the company directory, it’s relatively benign: in fact taking so many records might be a symptom of not knowing what they want to take.
And copying 8 million prescriptions is less bad than deleting them, which is itself less bad than altering some of them to be fatal.
Tags: data, math, report
Posted in Uncategorized, hackers | No Comments »
Wednesday, May 6th, 2009
According to a claim at WikiLeaks, a hacker has taken “8,257,378 patient records and a total of 35,548,087 prescriptions” from the Virginia Health Professions Database (website is down).
Any intrusion should call the current records into question (we often talk about what could happen if a hacker changes your financial documents, but a bad prescription can kill).
The hacker claims:
Also, I made an encrypted backup and deleted the original.
However, according to the Washington Post:
Sandra Whitley Ryals, director of the Department of Health Professions, said in a statement Wednesday that the program’s computer system has been shut down since last Thursday’s breach, but all data was backed up and those files have been secured.
Tags: attacks, government, news
Posted in events, hackers | 1 Comment »
|
|