Archive

Category Archives for "Security"

Notes about hacking with drop tools

In this report, Kasperky found Eastern European banks hacked with Raspberry Pis and "Bash Bunnies" (DarkVishnya). I thought I'd write up some more detailed notes on this.

Drop tools

A common hacking/pen-testing technique is to drop a box physically on the local network. On this blog, there are articles going back 10 years discussing this. In the old days, this was done with $200 "netbook" (cheap notebook computers). These days, it can be done with $50 "Raspberry Pi" computers, or even $25 consumer devices reflashed with Linux.

A "Raspberry Pi" is a $35 single board computer, for which you'll need to add about another $15 worth of stuff to get it running (power supply, flash drive, and cables). These are extremely popular hobbyist computers that are used everywhere from home servers, robotics, and hacking. They have spawned a large number of clones, like the ODROID, Orange Pi, NanoPi, and so on. With a quad-core, 1.4 GHz, single-issue processor, 2 gigs of RAM, and typically at least 8 gigs of flash, these are pretty powerful computers.

Typically what you'd do is install Kali Linux. This is a Linux "distro" that contains all the tools hackers want to Continue reading

Senegal Kicks Off Enhancing IoT Security Project

On April 4, 2018, the Canadian Multistakeholder Process: Enhancing Internet of Things (IoT) Security held its first convening in partnership with the Canadian Internet Registration Authority (CIRA)CANARIEInnovation, Science and Economic Development (ISED) Canada; and the Canadian Internet Policy and Public Interest Clinic (CIPIC). Over 80 participants from government, academia, public interest, industry, and other organizations attended the first meeting and many have continued to engage at in-person and virtual meetings ever since. Over the past eight months, this group has experienced significant success in the areas of consumer education, labeling, and network resiliency. And these achievements have been well-noted on a global scale.

A delegation from Senegal came to Canada in July to meet with members of the Enhancing IoT Security oversight committee. The group was comprised of government officials, Senegal Chapter members, and staff from the Internet Society’s African Bureau. The delegation met with Canadian government officials, technologists, public interest groups, and North American Bureau staff to learn more about how and why the IoT security project was initiated, and what the group had accomplished to date. The group discussed the significant successes the Canadian multistakeholder group had already achieved, the challenges it faced, Continue reading

Join Us to Discuss Attack Response at Internet Scale

How do we coordinate responses to attacks against Internet infrastructure and users? Internet technology has to scale or it won’t survive for long as the network of networks grows ever larger. But it’s not just the technology, it’s also the people, processes and organisations involved in developing, operating and evolving the Internet that need ways to scale up to the challenges that a growing global network can create.

One such challenge is unwanted traffic, ranging from spam and other forms of messaging-related abuse to multi-gigabit distributed denial of service attacks. Numerous incident response efforts exist to mitigate the effects of these attacks. Some are focused on specific attack types, while others are closed analysis and sharing groups spanning many attack types.

We are helping to bring together operators, researchers, CSIRT team members, service providers, vendors, information sharing and analysis centre members to discuss approaches to coordinating attack response at Internet scale. The Internet Society is sponsoring a two-day “Coordinating Attack Response at Internet Scale (CARIS) Workshop” intended to help build bridges between the many communities working on attack response on the Internet and to foster dialogue about how we can better collaborate.

The workshop will take place on February 28 Continue reading

Securify: practical security analysis of smart contracts

Securify: practical security analysis of smart contracts Tsankov et al., CCS’18

Sometimes the perfect is the enemy of the good. When we’re talking about securing smart contracts, we need all the help we can get! Bugs can cost millions of dollars. Securify uses a set of expert heuristics (patterns) to help identify issues in smart contracts. It’s available at https://securify.ch, has analysed over 18K uploaded contracts, and is used by security auditors as part of their arsenal.

The increased adoption of smart contracts demands strong security guarantees. Unfortunately, it is challenging to create smart contracts that are free of security bugs. As a consequence, critical vulnerabilities in smart contracts are discovered and exploited every few months. In turn, these exploits have led to losses reaching millions worth of USD in the past few years…. Despite their potential, repeated security concerns have shaken the trust in handling billions of USD by smart contracts.

Too right! We’ve examined some of the challenges involved in creating correct smart contracts in previous editions of The Morning Paper, as well as tools such as Zeus that help with verification.

It’s not a solvable problem in the general case (i.e., ‘perfect’ Continue reading

1 73 74 75 76 77 182