Risky Business #382 — Charlie Miller talks car hax, Uber

On this week's show we're checking in with Charlie Miller. We chat car hacking and we also (kind of) find out what he's up to now he's working at Uber.

This week's show is brought to you by HackLabs, an Australian security consultancy. They're a key sponsor of Australia's Cyber Security Challenge, which is basically a CTF for Australian CS students. What makes this one a bit different is it's being run by the Prime Minister's Office, which is, yeah, unexpected. Chris joins us later to discuss the challenge, that's this week's sponsor interview.

read more

North Korea is likely behind attacks exploiting a Korean word processing program

North Korea is likely behind cyberattacks that have focused on exploiting a word processing program widely used in South Korea, security firm FireEye said Thursday in a report.The proprietary program, called Hangul Word Processor, is used primarily in the south by the government and public institutions.The vulnerability, CVE-2015-6585, was patched three days ago by its developer Hancom.FireEye's conclusion is interesting because only a handful of attacks have been publicly attributed to the secretive nation, which is known to have well-developed cyber capabilities.To read this article in full or to leave a comment, please click here

What’s that drama?

The infosec community is known for its drama on places like Twitter. People missing the pieces can't figure out what happened. So I thought I'd write up the latest drama.

It starts with "Wesley McGrew" (@McGrewSecurity), an assistant professor at Mississippi state. He's been a frequent source of infosec drama for years now. Since I, myself, don't shy away from drama, I can't say that he's necessarily at fault, I'm just pointing out that he's been involved in several Big Infosec Drama Blowups.

Then there is "Adrian Crenshaw" (@irongeeek_adc) (aka. "Irongeek") who maintains a website http://irongeek.com, which hosts a lot of infosec videos. He'll work with conferences to make sure talks get recorded and uploaded to his site. A lot of smaller cons host their video there. If you frequently watch infosec videos, then you know the site.


I think this specific drama started back in April, when Irongeek made this April Fool's joke:
https://twitter.com/McGrewSecurity/status/583250910387789824

Many, most especially McGew, criticized Irongeek for this, claiming it was an "unfunny slap to women in security".

I don't know when it happened, but Irongeek punished McGrew by blocking students from McGrew's university, Mississippi State. This was noticed last week.

https://twitter. Continue reading

US defense secretary mulls rapid grants for tech companies

The U.S. Department of Defense is considering offering rapid seed funding to private companies as a way to encourage more work on technology projects with the commercial sector, Secretary of Defense Ashton Carter said Wednesday.The push for greater cooperation with tech companies has been a big theme for the DOD in the last year as it faces a growing and unprecedented threat from private and state actors on the Internet and beyond.That was demonstrated late last year when Sony Pictures suffered a devastating hack of its corporate email system that the U.S. government attributed to North Korea. Hackers based overseas have also been blamed for high-profile attacks on the Department of State and the Office of Personnel Management, the latter of which resulted in personal data on millions of government employees being lost.To read this article in full or to leave a comment, please click here

US defense secretary mulls rapid grants for tech companies

The U.S. Department of Defense is considering offering rapid seed funding to private companies as a way to encourage more work on technology projects with the commercial sector, Secretary of Defense Ashton Carter said Wednesday. The push for greater cooperation with tech companies has been a big theme for the DOD in the last year as it faces a growing and unprecedented threat from private and state actors on the Internet and beyond. That was demonstrated late last year when Sony Pictures suffered a devastating hack of its corporate email system that the U.S. government attributed to North Korea. Hackers based overseas have also been blamed for high-profile attacks on the Department of State and the Office of Personnel Management, the latter of which resulted in personal data on millions of government employees being lost.To read this article in full or to leave a comment, please click here

Video: Virtual networking’s killer use case

A key theme at this year's VMworld conference was the virtualization of the data center, and specifically the network.+MORE AT NETWORK WORLD: Containers key to Cisco's "open" data center OS +VMware entered into the networking market two years ago when it purchased Nicira for more than $1 billion. Since then VMware has rolled out NSX, it’s virtual networking product. Officials say there are already 700 NSX deployments, including 65 customers that have $1 million+ NSX deployments.In the video below, check out what VMware’s Chris King says have been some of the driving factors behind virtual networking, and learn how virtual networking is being used as a security tool, and not just network agility software.To read this article in full or to leave a comment, please click here

Video: Virtual networking’s killer use case

A key theme at this year's VMworld conference was the virtualization of the data center, and specifically the network.+MORE AT NETWORK WORLD: Containers key to Cisco's "open" data center OS +VMware entered into the networking market two years ago when it purchased Nicira for more than $1 billion. Since then VMware has rolled out NSX, it’s virtual networking product. Officials say there are already 700 NSX deployments, including 65 customers that have $1 million+ NSX deployments.In the video below, check out what VMware’s Chris King says have been some of the driving factors behind virtual networking, and learn how virtual networking is being used as a security tool, and not just network agility software.To read this article in full or to leave a comment, please click here

Turla cyberespionage group exploits satellite Internet links for anonymity

A cyberespionage group of Russian origin that targets governmental, diplomatic, military, educational and research organizations is hijacking satellite-based Internet connections in order to hide their servers from security researchers and law enforcement agencies.The group is known as Epic Turla, Snake or Uroburos and even though some of its operations were first uncovered in February 2014, it has been active for at least eight years.To read this article in full or to leave a comment, please click here

New Apple TV: Siri and the App Store are the stars of Apple’s new set-top box

Apple is re-entering the living room with the 2015 Apple TV, a new set-top box that streams video, plays games, and uses Siri to answer your every entertainment whim.+ Find out what Apple did to the new iPad +The last time Apple upgraded its living room hardware was more than two years ago, and even that was a minor refresh of the 2012 Apple TV. The new version is a significant upgrade, packing more powerful hardware and a full-blown app store.Similar look, new apps At first glance, the new Apple TV sports a similar interface to that of its predecessor. A strip of recommendations sit on top, followed by a list of apps underneath. The big difference now is that there’s an entire App Store, rather than a preset list of Apple-curated selections.To read this article in full or to leave a comment, please click here

Some notes on satellite C&C

Wired and Ars Technica have some articles on malware using satellites for command-and-control. The malware doesn't hook directly to the satellites, of course. Instead, it sends packets to an IP address of a known satellite user, like a random goat herder in the middle of the wilds of Iraq. Since the satellites beam down to earth using an unencrypted signal, anybody can eavesdrop on it. Thus, while malware sends packets to that satellite downlink in Iraq, it's actually a hacker in Germany who receives them.

This is actually fairly old hat. If you look hard enough, somewhere (I think Google Code), you'll find some code I wrote back around 2011 for extracting IP packets from MPEG-TS streams, for roughly this purpose.

My idea was to use something like masscan, where I do a scan of the Internet from a fast data center, but spoof that goat herder's IP address. Thus, everyone seeing the scan would complain about that IP address instead of mine. I would see all the responses by eavesdropping on that satellite connection.

This doesn't work in Europe and the United States. These markets use more expensive satellites which not only support encryption, but also narrow "spot Continue reading

Trade Stimulators and the Very Old Idea of Increasing User Engagement

Very early in my web career I was introduced to the almost mystical holy grail of web (and now app) properties: increasing user engagement.

The reason is simple. The more time people spend with your property the more stuff you can sell them. The more stuff you can sell the more value you have. Your time is money. So we design for addiction.

Famously Facebook, through the ties that bind, is the engagement leader with U.S. adults spending a stunning average of 42.1 minutes per day on Facebook. Cha-ching.

Immense resources are spent trying to make websites and apps sticky. Psychological tricks and gamification strategies are deployed with abandon to get you not to leave a website or to keep playing an app.

It turns out this is a very old idea. Casinos are designed to keep you gambling, for example. And though I’d never really thought about it before, I shouldn’t have been surprised to learn retail stores of yore used devices called trade stimulators to keep customers hanging around and spending money.

Never heard of trade stimulators? I hadn’t either until, while watching American Pickers, one of my favorite shows, they talked about this whole Continue reading

Microsoft patches yet another Hacking Team zero-day exploit

Over two months after Italian surveillance software maker Hacking Team had its internal data leaked by hackers, vendors are apparently still fixing zero-day exploits from the company's arsenal.On Tuesday, Microsoft published 12 security bulletins covering 56 vulnerabilities in the new Edge browser, Internet Explorer, Windows, Office, Skype for Business, .NET Framework and some of its other software products.To read this article in full or to leave a comment, please click here

1 3,321 3,322 3,323 3,324 3,325 3,836