MetaFilter posts tagged with hacking and security

Neurosecurity

homunculus — Wed, 08 Jul 2009 20:29:23 -0800

Neurosecurity: security and privacy for neural devices. "An increasing number of neural implantable devices will become available in the near future due to advances in neural engineering. This discipline holds the potential to improve many patients' lives dramatically by offering improved—and in some cases entirely new—forms of rehabilitation for conditions ranging from missing limbs to degenerative cognitive diseases. The use of standard engineering practices, medical trials, and neuroethical evaluations during the design process can create systems that are safe and that follow ethical guidelines; unfortunately, none of these disciplines currently ensure that neural devices are robust against adversarial entities trying to exploit these devices to alter, block, or eavesdrop on neural signals. The authors define 'neurosecurity'—a version of computer science security principles and methods applied to neural engineering—and discuss why neurosecurity should be a critical consideration in the design of future neural devices." [Via Mind Hacks]

High Security? Maybe.

ostranenie — Thu, 28 May 2009 12:22:26 -0800

You are Medeco, one of the world's premier lock companies. And you think your super-secure locks are tight. Until, that is, some upstart troublemaker comes along, reverse engineers them and shows the world (via Wired magazine--with video, natch) showing just how (supposedly) insecure they are. Then this same troublemaker releases a book giving all your secrets away. Wired article comes complete with overblown, panic-now headlines (Ultimate Lock Picker Hacks Pentagon) from the Wired writers. You think they had a contest?

Amazing discoveries in plain-text Tor exit traffic.

Anything — Tue, 04 Dec 2007 18:04:45 -0800

This is an ironic tale of the consequences of inept application of cryptographic tools. Or is it? Dan Egerstad, a Swedish hacker, gained access to hundreds of computer network accounts around the world, belonging to various embassies, corporations and other organizations. How did he do it? Very easily: by sniffing exit traffic on his Tor nodes. Egerstad ran exit nodes on the Tor anonymity network, used as links from the network to the rest of the world. He looked at the traffic going through his nodes and found that many users were logging in to sensitive accounts without using end-to-end encryption. From the Sydney Morning Herald article:

After a couple of months sniffing and capturing information, Egerstad was faced with a moral dilemma: what to do with all the intercepted passwords and emails. If he turned his findings over to the Swedish authorities, his experiment might be used by his country's intelligence services to continue monitoring the compromised accounts. That was a little too close to espionage for his liking. So Egerstad set about notifying the affected governments. He approached a few, but the only one to respond was Iran. "They wanted to know everything I knew," he says. "That's the only response I got, except a couple of calls from the Swedish security police, but that was pretty much all the response I got from any authority." Frustrated by the lack of a response, Egerstad's next step caused high anxiety for government staffers - and perhaps intelligence services - across the globe. He posted 100 email log-ins and passwords on his blog, DEranged Security. "I just ended up (saying) 'Screw it, I'm just going to put it online and see what happens'."

He later removed the information from his blog, says the hard drives are "long gone"; also, there don't appear to be any public mirrors of the data. Nonetheless, the incident got him arrested and his hardware confiscated. One curious angle in this story is the question of which of the plain-text logins sniffed by Egerstad were made by unauthorized third party attackers instead of unwitting legitimate users.

However, Egerstad now believes the victims of his experiment may not have been using Tor. It's quite possible he stumbled on an underground intelligence gathering exercise, carried out by parties unknown. "The whole point of the story that has been forgotten, and I haven't said much about it, (is that) many of these accounts had been compromised," he says. "The logins I caught were not legit users but actual hackers who'd been reading these accounts."

Here's Bruce Schneier's commentary on the case. Here's the Tor FAQ, which tells you what it's good for and how to use it properly.

I'm in ur address book, callin ur peeps

chuckdarwin — Wed, 13 Jun 2007 06:45:20 -0800

How secure is your password? If you're like some people, it's probably not secure enough. When did you last change yours?

Introducing Jikto

scalefree — Wed, 28 Mar 2007 13:40:05 -0800

Klaatu barada...Jikto? First there was Nikto. Then along came Wikto. Last Saturday at Shmoocon Billy Hoffman introduced the world to Jitko, a client-side vulnerability scanner that exploits your browser & turns your PC into a platform for finding holes in computers across the Internet (or behind your firewall). Reactions were mixed. Does Jikto go too far?

There's some sort of karmic justice here.

daHIFI — Tue, 21 Feb 2006 09:44:34 -0800

"To tell the truth ... I'm sorta surprised they haven't caught me yet," The Washington Post ran an interesting interview with a botmaster, a young man who made serveral thousands of dollars a month installing XXX spyware on machines that he controlled. He installed the software on the machines of people he did not know by hacking into them remotely. The lenghty article included a partial photo of the botmaster along with vauge descriptions of the small midwestern town where the man lives, and was published with the understanding that the man's identity would be kept secret. Someone should have told that to the person that manages photos at the Washington Post. An estute reader over at Slashdot was able to locate some extra information stored in the picture's metadata including the photographer and the location the picture was taken, Roland, Oklahoma, a town of less than 3000 people. Whoops.

Harvard rejects

trharlan — Tue, 08 Mar 2005 18:46:03 -0800

"Hacker" discovers backdoor to Harvard Business School admissions decisions.
Harvard rejects all applicants who used the "hack."

Google falters? Can't be!

mrplab — Fri, 29 Oct 2004 16:37:21 -0800

GMail not-so-safe Mail. So apparentley GMail has a major exploit that's been discovered by an Israeli hacker. "Using a hex-encoded XSS link, the victim's cookie file can be stolen by a hacker, who can later use it to identify himself to Gmail as the original owner of an email account, regardless of whether or not the password is subsequently changed." And so the fun with GMail begins..

It's Justice Time!

eatitlive — Tue, 25 Feb 2003 09:51:58 -0800

Know what time it is, Kidz? It's U.S. Department of Justice Time!

On today's show, we'll learn why Hacking is REAL BAD, and give you a chance to find out if you are a good cybercitizen. Next, we'll meet Axel, the talking drug dog, and his friends the Bomb Dog Bunch! Then, we'll check in on the ATF, for some cool science fair ideas.

And finally, just for you kids with crooks or international terrorists for parents, here's a nifty PDF coloring book (Native American version also available).

mathowie — Tue, 16 Jul 2002 00:22:52 -0800

This is some scary stuff. Life in prison for malicious hacking? We can't keep rapists and murderers away from society for very long but now hackers & crackers could be jailed for life? And on top of that the FBI can monitor internet packets without a warrant? If you enjoy your freedom from gov't surveillance, it looks like it's time to start using PGP.

arnab — Fri, 03 May 2002 23:01:15 -0800

Competition to "reverse engineer" mystery program.
Another cool thingy from the HoneyNet Project; they're inviting people to convert a binary file into its original source. So, who's participating?

Lanternjmk — Mon, 11 Mar 2002 08:25:04 -0800

Hackers target Cell Phones With the connectivity of cell phones to the internet, hackers have begun to target cell phones, programming prank calls, placing calls to wherever and erasing the software in the phone.

dglynn — Wed, 09 Jan 2002 22:53:51 -0800

Hackers: Computer Outlaws A TLC show(that I'm 3/4 through) that seems to actually use reliable sources to discuss not just cracker behavior, but also the creative side of hackers, pointing out the developments attributed to some hackers. Now Markoff and Mitnick. Not a bad little show....

bkdelong — Thu, 20 Dec 2001 10:30:40 -0800

Microsoft's newest version of Windows.... billed as the most secure ever, contains several serious flaws that allow hackers to steal or destroy a victim's data files across the Internet or implant rogue computer software. The company released a free fix Thursday.

A Microsoft official acknowledged that the risk to consumers was unprecedented because the glitches allow hackers to seize control of all Windows XP operating system software without requiring a computer user to do anything except connect to the Internet.

thescoop — Tue, 25 Sep 2001 14:22:27 -0800

Silicon Valley backs Senate bill that would allow companies to report computer network attacks to the government without having to worry about the public finding out. The reasoning: it would encourage more companies to report the problems and help the government track down the culprits. A similar bill is in the House.

Steven Den Beste — Sat, 21 Apr 2001 20:03:22 -0800

You too can be a felon! Last year, the SDMI Foundation made a public challenge to see if anyone could crack 6 proposed protection mechanisms for digitally-encoded music. All six turned out to be feeble and all six fell. Since then, the SDMI Foundation has been relying on lawyers to cover up for the incompetence of their engineers. They're trying to suppress this article, so everyone reading this has a duty to make and store a copy of it. (Everyone should also own at least one copy of DeCSS. I have the 442-character C version printed on the back of my personal card.)

pecus — Thu, 22 Mar 2001 10:43:43 -0800

Vulnerabiity in OpenPGP You don't even need to crack the key, just get hold of it, modify a few bytes, and presto, sign away from other persona. The issue here is signing, not encrypting. The implications are evident when you think of internet voting, tax filing, etc., but it is still a victory for open cryptography, where peer review can find serious flaws.

Steven Den Beste — Fri, 09 Mar 2001 10:20:11 -0800

One million credit card numbers stolen! News at 11! The FBI has gone public with a rather dry account of a huge organized attack on ecommerce sites, exploiting security flaws in NT which Microsoft fixed and offered patches for nearly two years ago.

Steven Den Beste — Tue, 17 Oct 2000 21:53:14 -0800

The SDMI Hack challenge seems to have gone down in flames. And apparently it wasn't even very difficult to break into it. This article goes into it in some detail. [more]

Steven Den Beste — Wed, 19 Apr 2000 16:30:28 -0800

They bagged the kid who was responsible for all those Denial-of-Service attacks a couple of months ago. He's Canadian.

Here's an interesting legal question: could the US extradite him? The crimes were committed in the US, but he was in Canada at the time he did it, since he worked through the Internet. Whose laws apply?

(By the way, I've seen no indication that the US is considering extradition; I was just curious whether they could extradite him.)

mathowie — Sat, 12 Feb 2000 09:37:03 -0800

The Discovery Channel has a pretty good "Hackers Hall of Fame" but of course they get hacking/phreaking/cracking all munged up. There's a brief bio and short synopsis of activities for each person.

mathowie — Mon, 24 Jan 2000 11:47:24 -0800

Last night Kevin Mitnick was on 60 minutes (the gist of the interview is quoted here), and I have to say he came off as an utterly harmless geek. He was an information junkie that enjoyed the challenge of cracking firewalls. He never profited from his activities and the affected companies made up their monetary losses. It's a shame he was forced to waste away in prison instead of offer his security expertise to the affected companies.