Hacks To Be Truly Paranoid About 106
snydeq writes: Nothing is safe, thanks to the select few hacks that push the limits of what we thought possible, InfoWorld's Roger Grimes writes in this roundup of hacks that could make even the most sane among us a little bit paranoid. "These extreme hacks rise above the unending morass of everyday, humdrum hacks because of what they target or because they employ previously unknown, unused, or advanced methods. They push the limit of what we security pros previously thought possible, opening our eyes to new threats and systemic vulnerabilities, all while earning the begrudging respect of those who fight malicious hackers."
Duh (Score:5, Insightful)
None of these are new.
Re:Duh (Score:4, Insightful)
Yeah, my grandmother knows about at least three of them from grandparent magazines. I'm past asking why this is on Slashdot...
Re:Duh (Score:4, Interesting)
Either the demographic of /. has changed dramatically or simply clickbait
I have not read InfoWorld in a while, but I was kinda surprised that they would be the source of such a, *ahem*, mundane article
Re: (Score:1)
Re: (Score:2)
ATM hacks just throw pieces of paper around, doesn't really do any physical damage. Consider it to be redistributive.
Re: (Score:2)
None of these are new.
Probably why neither the headline nor the summary suggested as much.
Card skimmers (Score:5, Interesting)
I submitted an article on the topic [slashdot.org], but it was rejected. Bottom line: be careful when using ATMs, especially at bars and in Florida. Recently New York and Philadelphia have been increasingly targeted.
Re: (Score:2)
It's actually really easy to identify a skimmer, just grab and tug on the card slot. if it comes off, it's a skimmer.
Re: (Score:3)
Only works if that's the case. There's some amazingly complex mockups including the entire cowl and keypad, and those asshole of no-where ones where the skimmer is built right into the machine itself. The one you're talking about? They're still around but not near as common as the other types out there.
Re: (Score:2, Informative)
Brian Krebs puts up some really shocking skimmer articles every once in a while. When you think you can spot all the skimmers out there, you've already lost.
Re: (Score:2, Funny)
Re: (Score:3)
I've always wondered about skimming using nothing more than a high speed camera and a zoom lens. I'm guessing you could point a camera at a gas station card reader from 200' away and read the entire back of the card as it goes in and out.
I look like a nutcase when I use my credit card in public for this very reason. Sadly it's easy to get a misread when you're awkwardly trying to shield both sides of the card with your hands.
Re: (Score:3)
Why is it worrisome? Your bank covers any and all malicious charges with a single call, barely any questions asked. Sure, you're out of a card for 2 days, but then you just use another one.
Re: (Score:2)
Your bank covers any and all malicious charges with a single call, barely any questions asked.
If you notice in time.
Re: (Score:3, Informative)
Re: (Score:1)
Re: (Score:2)
May as well, because those fraud prevention calls can become quite frequent.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
No, federal regulations state that all electronic transactions are covered with a consumer liability of $50, your state may have better protections. Most banks do not even hassle about it, they'd rather keep you as a customer so they will waive the liability. If your bank does not, change banks.
Re: (Score:1)
FWIW I have read that it's safest to use an ATM at a bank rather than some off-site ATM, because the ones at banks are most often competently checked/maintained/observed, so less likely to have been tampered with.
Re: (Score:2)
The only really worrisome one to me is the ATM card skimmers, because if you go to an unknown ATM, it's hard to know if it has a skimmer on top or not. Furthermore, it has increased dramatically over the past few years, up 300% from last year.
The problem is just in the fundamentals of how we design credit/debit/etc cards. We put all the logic in the reader and often the cards themselves are easy to duplicate. Most cards with chips also keep all the logic in the reader but at least the chip makes the card impossible to copy. With just a chip in the card you can still tamper with the transaction details or create transactions as long as the card is present if you subvert the reader.
What we really should move to is a model where all the authoriz
Re: (Score:2)
There is already a ton of logic on the chip card. It's a working computer with apps installed on it.
The chip and the reader actually negociate and exchange keys to validate each other, and the app on the card can refuse to do a transaction if the keys don't work.
Now the problem is that we still have to put magnetic stripes on our (canadian) cards because the Americans are 20 years late in implementing chip cards. The rest of the world did it, what are they waiting for?
Re: (Score:2)
There is already a ton of logic on the chip card. It's a working computer with apps installed on it.
Sure, but the interface between the chip and its owner is completely MITM'ed by the reader. There is no way for the chip to know whether the transaction it is being asked to authorize by the reader is the one the account holder wants to authorize.
All the chip does is prove that it is present, or maybe accept a PIN number first.
And I won't argue that the US banks are worse than the rest of the world. I just think that chip-and-PIN alone is really far short of what could be done to secure cards.
Re: (Score:2)
There is a public key exchange between the terminal and the card. These keys aren't public, and when we inject keys into a terminal it's done in a closed room supervised by security officers.
So I think it must be quite a challenge to do a MITM attack. Also, there is a cryptographic part to the message (the transaction) which is calculated by the chip using an algorithm and a key known only to the chip and to the card emitter. When receiving the transaction, and before aproving it, the emitter does the same
Re: (Score:2)
Just open up the terminal and rewire the display and keypad to go to a different computer, while not touching anything else. The POS terminal sends to the card reader the total bill of $1000. The MITM computer displays on the terminal screen a request to authorize a payment of $10.95, and passes the PIN input to the reader's computer. The reader dutifully passes along the PIN and transaction for $1000 to the credit card, which dutifully notices that the reader is completely valid and authorizes the trans
Nothing But FUD!!! (Score:3, Insightful)
This stuff has been out there for more than two years for most of it except maybe the badusb. Go write a real news story and come back when you have something good...
Harddrive Firmware (Score:5, Insightful)
The only thing that scares me is that you can buy a harddrive that might have it's firmware modified so they always have a backdoor into your system.
Re: (Score:3)
Re: Harddrive Firmware (Score:1)
How would hard drive firmware affect the OS? Did you really just ask that? For 1it can modify OS files AND lie about it. For 2 it can potentially spread to the NIC or PCI or USB controllers' firmware. For 3 it could boot you in a VM then boot the OS you expect...
You can't remove infected firmware unless you know what jtag is and how to hook it up to the drive's controller and do your own forensics on the firmware. At that point you may as well make your own firmware. If your OS is loaded from an infected dr
ANY Firmware (Score:4, Interesting)
Check this incident out. [google.com] Naturally, Qubes could not protect him because his laptop did not have an IOMMU. But the real interesting thing to me is where/when this implant was actually put in his system (he says he bought it new, in person, and the symptoms appeared sometime after a period of normal behavior).
Re: (Score:1)
Looks like you already have the dreaded apostrophizer installed, somehow you used "it is" when you meant "its".
https://en.wikipedia.org/wiki/... [wikipedia.org]
I enjoyed the article ... (Score:4, Insightful)
... I have heard of these before, but it's good to get a run-down.
Stuxnet is my fav. It reminds me of the "drunk walk" algorithm I entered into a TRS-80 using BASIC, back in 1978 and stuff.
As an IT person, reading the article was like looking up symptoms for an illness: I think I have every fatal disease and hackers are crawling all over my system.
Re: (Score:3)
Indeed. Another point: I don't get the snobbery around here.
Yes, I know this is "news for nerds", but it shouldn't be so nerdy that the average person or aspiring nerd that shows up feels too intimidated by the articles that they won't read the articles or join in discussion.
For a lot of us, this is old news, sure. But it's not cool to assume that everyone knows what we know.
Re: (Score:2)
I'm an old man retired from the business about six months ago.
Systems people tend to piss me off, from college professors, through IT departments, all the way up to management.
It's mostly ego, insecurity, paranoia, and pockets of silos.
I won't blather on, but, simply put, I mentor that the word "user" is for manuals and should be referred to the "U" word elsewhere. People are our coworkers. We all show up to support the same mission statement: "To get people to give our Firm money and feel good about it."
Wh
Complacent CIOs & CEOs (Score:4, Interesting)
Given the dozens and dozens of reported hacks against large orgs over the last 2 year, I can only conclude there is a large disregard for properly addressing security that starts right at the top of the C suite in big companies.
That is at least as troubling for smaller companies, who likely have less resources to deal with security.
Re: (Score:2)
Re: (Score:2)
Given the dozens and dozens of reported hacks against large orgs over the last 2 year, I can only conclude there is a large disregard for properly addressing security that starts right at the top of the C suite in big companies.
That is at least as troubling for smaller companies, who likely have less resources to deal with security.
I think they're doing their jobs right and it's the consumers that are failing by not holding their companies accountable.
Cryptovirus Ransomware (Score:1)
Crypto hacks were mentioned but not crypto viruses which encrypt the files and then hold the decryption key for ransom. I haven't had trouble with viruses for years but was recently hit by one called locker. I had about 5 months of photos not backed up and was lucky not to lose them. Recovery for me was messy and involved fetching offsite backups from my mother's house. The author for reasons known only to him (he claimed it was an accidental release) relaesed the keys for this one and tools were quickly wr
Re: (Score:2)
Java, [...] most bug-filled, hackable software (Score:5, Interesting)
Java, one of the most bug-filled, hackable software products the world
Indeed criticism should be leveled at Java for trying to retain one of it's original design intents of being a web safe sandbox while at the same time trying to be a golden hammer in pretty much every other problem/solution domains, server backend, rich client, embedded device etc meaning the platform got so huge and unwieldly it was too difficult to keep it secure if nothing because of it's sheer weight. But to call it the most hackable software products is just stupid and ignorant. Does the author understand the basic concept of memory management exploits? Buffer overruns exploits are virtually non-existant in Java, caused only by rare defects in the JVM itself.
Re:Java, [...] most bug-filled, hackable software (Score:4, Insightful)
Yes you're right. That honour goes to Adobe Flash.
Re: (Score:1)
Yes you're right. That honour goes to Adobe Flash.
It a close race; but, I think Adobe Flash is winning. Tim S.
Re: (Score:3)
caused only by rare defects in the JVM itself.
Except for the "rare" part, sure. And every monthly Java exploit puts every machine running Java out there at risk (I'm assured by Sun there are over a billion such machines, much like McDonalds hamburgers).
You can write secure C code - difficult, but possible. You cannot write secure Java code, as there's nothing you can do about your regularly scheduled JVM flaw.
Re: (Score:2)
Re: (Score:2)
Running a full 'sandboxed' JVM in a browser needs to be taken out the back and shot and on this basis java is indeed probably very insecure, Oracle should of flagged this as a legacy setup disabed by default a very long time ago;
So, every iLO on HP servers out there must be now obsolete?
Re: (Score:2)
Since they essentially require me to keep a machine around running Java 6 and an old browser so I can still access them, then yes? But then, so does Unisphere and the embedded broadcom Fiber switch software. Java 6 can never die - it's the only way to configure systems and network hardware.
Re: (Score:2)
and nothing like arbitrary code injection exploits that have marred Flash recently.
There are real problems in Java as well, but, yes, nothing like the frequency of Flash exploits.
Having said that it would be interesting to compare instances of malware exploits for typical desktop internet connected PC by actual vector and see how java related vectors actually measure up.
Desktop PCs are all about browser hijacks. Most people have Java turned off by now (except for some stupid legacy internal corporateware in a few places, much like IE6). I hope to have Flash removed everywhere soon too(once Youtube gets fully away from Flash - I should check again).
Re: (Score:3)
It wouldn't be a good, scary InfoWorld article without sensationalist bullcrap.
Re: (Score:2)
A light-weight article...
The article appears in InfoWorld, what do you expect?
.
InfoWorld is still trying to relive its glory days of the 90's when it played second fiddle to PCWeek.
Re: (Score:2)
A light-weight article, typified by this:
Java, one of the most bug-filled, hackable software products the world
Indeed criticism should be leveled at Java for trying to retain one of it's original design intents of being a web safe sandbox while at the same time trying to be a golden hammer in pretty much every other problem/solution domains, server backend, rich client, embedded device etc meaning the platform got so huge and unwieldly it was too difficult to keep it secure if nothing because of it's sheer weight. But to call it the most hackable software products is just stupid and ignorant. Does the author understand the basic concept of memory management exploits? Buffer overruns exploits are virtually non-existant in Java, caused only by rare defects in the JVM itself.
There are gazillions of lines of Java in the enterprise space safely immune to drive-by hackers. OK, applets were over optimisitic and turned out to be a bad idea in practice. But I get bored with defending Java in other spaces. It does a great job for business in the server and on the desktop.
Re: (Score:2)
Re: (Score:2)
Buffer overruns exploits are virtually non-existant in Java, caused only by rare defects in the JVM itself.
The problem is that JVM vulnerabilities historically haven't been all that rare. And keeping your JVM up-to-date has always been a hassle. On linux distros there were a lot of licensing problems in the past (I'm not sure how much better that has gotten) - and that made packaging/etc tricky. On other platforms I've found the Sun updaters/etc REALLY annoying. Besides wanting to install malware at every opportunity, it seems like it keeps old versions around and I'm never sure if my system is vulnerable or
Extreme hack No. 1: ATM hacking (Score:4, Interesting)
Nothing to disagree with so far
"ATM OSes often include an implementation of Java, one of the most bug-filled, hackable software products the world has ever known"
Only when run on top of Microsoft Windows. Sun Microsoft Systems were under the delusion that they owned Java. Originally designed to be a write-once-run-anywhere technology. At least before Microsoft innovated a Java Language Council [edge-op.org](excluding Sun), took control of Java (JFC) and licensed it back to Sun (AFC)
Years later Oracle acquired Suns interest in Java and sued Google for including Java API calls in Android. Curiously enough Microsoft is 'licensing' patented Android technology to the handset manufacturers and Oracle isn't going after Microsoft.
Re: (Score:2)
Re: (Score:1)
Who modded this crap up? AFC wasn't licensed back to Sun. Sun sued the shit out of Microsoft and Microsoft settled, paid up, and deprecated all of the incompatible junk they made.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Hmm (Score:1)
Hacks to be paranoid of?
The most infamous and interesting ATM hacker was Barnaby Jack, who passed away in 2013. He would delight crowds at security conferences by bringing one or two commonly used ATMs on stage and within a few minutes have them spitting out fake cash.
Maybe this is what hackers should be paranoid of, revealing a little too much.
Jack was found dead in a San Francisco apartment on 25 July 2013 by his girlfriend. He was aged 35.[12][13][14] At the time of his death, he was due to attend a Black Hat Briefings hacking conference in Las Vegas.[15][16] Black Hat general manager Trey Ford, said "Everyone would agree that the life and work of Barnaby Jack are legendary and irreplaceable", and announced his spot would not be replaced at the conference.[13] According to the coroner, Jack died of a cocktail of prescription drugs and cocaine.[17]
Voice recognition virus (Score:2)
I'm waiting for the first voice recognition virus or voice bomb. Basically someone saying something clever in a video or song or other mass media that triggers millions of devices into making an expensive call or directing them to something with a 0-day payload.
the REAL scam is ... (Score:2)
Re: (Score:2)
... those that use identity as authorization. if someone knows your number then all they technically have is knowing who you are. if they use your number to incur a debt then the party that accepted it is the real perp.
Bingo. The problem is the use of a shared secret that you end up sharing with half the planet.
I should be able to post a PDF of every government document I've ever gotten online and there should be no risk of impersonation. The only exception should be things like initial-password assignment emails/letters up until the time that the password was initially set.
I worry about 'Life Hacks' rotting our brains (Score:5, Insightful)
How many friggin' ways are there to hang shoes in your closet? You'd think that just piling your shoes on the floor has been holding us back all these years, and we're just beginning to get a handle on this shoe storage thing. Buy expensive plastic drawers, make things out of moldy cardboard, hang 'em and wrap 'em like flies in a spiderweb, on doors, above your bed. Make labels. How about an entire room full of wax people in various positions to wear our shoes for us? To select a pair just tip over the wax person and take their shoes off. Simple.
There is always some 'Target Number'. No one ever has a bright idea any more, they must save them up until there is a round or round-plus-one number. Only a brain dead doofus would click into '100 uses for a dead cat' when another article promises 101 uses.
Zero-Day Life Hacks are the worst. Mixed in with the rest, at a glance you can tell that they were made up on the spot to help the author achieve the target number, and are not worth the time spend reading them. And there is no way to unread them, no delivered punishment for this crime. The last time someone felt guilty about wasting another person's precious time was back in 1959.
Life hacks don't just present these tips, they go on about them. You can't just be told to slide a friggin' block of wood along the floor to help set molding at the proper height. There has to be a Using A Block Of Wood Smartly video, and there's always a FAQ with dumb questions like, when I slide it into a corner, what then? (start over in another room, maybe it will work there) and What if the wood falls over? (find another piece). Even the most ludicrous and contrived aspects of something generates lengthy discussion, as if we have carved out a Corner of the Universe devoted solely to wood block molding sliding. The comments slide off into oblivion and disappear like they do everywhere else, the Internet is now like a continuous roll of one-sided toilet paper.
The people surfing these 'Hacks' are really asking themselves, I have these opposeable thumbs connected to a brain. What are they for? Well one thing you could do is spend every spare moment of your life in a voyeuristic journey paging through Life Hacks. As the senses dull and the little voice in our head that says, "Now THAT's clever" becomes over-used, our desperate brains are spurting little endorphin rushes that represent the Eureka! moment, and for a split second we pretend to be filing away every Life Hack like some modern day Sherlock Holmes, to regurgitate it some day at the precise moment when it will attract that mate, save that marriage, save your life and impress everybody
The truth is that you are forgetting them as fast as you are absorbing them and your own brain is becoming that one-sided continuous roll of toilet paper. It's a scam and you are both scammer and scamee. When you go to bed tonight, try to remember all the valuable tips you've learned. Then in the morning. In the place of hands-on basic 'aboriginal skills' of problem solving with the use of fingernails, using levers, found objects and baling wire, things upon things --- we're just merely glancing at things
You know those night-time satellite photos that show cities, highways and towns as shimmering webs of light? Well in terms of average depth of human concentration... those lights are winking out. Celebrities who've had their asses reamed by hateful people on Twitter and delete their accounts (whoosh!) to go back to old-fashioned interviews and press conferences teach us an important lesson about modern culture and long term mental health... which I will not share. This is no 'Life Hack' tip here... figure it out yourself.
Life Hacks also eat up idle quiet time, in which the mind fits things together in silly ways that are uniquely your own. We must use the Internet -- to find the slow tides of thought, laughter and fable we wish to use to construct our worlds, and spend equal time out in the most desperate emotional wildernesses of our time, to tame them to our liking. [slashdot.org] Not passively surf 'Life Hacks'.
Re: (Score:2)
... to slide a friggin' block of wood along the floor to help set molding at the proper height.
That's a neat hack. Thanks!
Re: (Score:2)
That worked great for me until I hit a corner. So I got another block of wood. I was able to replace all the molding in my house, but I don't know what to do with all those blocks of wood. Perhaps there's a Life Hack for that...
LMFAO (Score:2)
Subject line says it all; I expected more than that article provided. Please.
Re:LMFAO (again) (Score:2)
Honestly, this has to be the stupidest /. article ever. And that's saying something. I don't know whether to keep laughing or cry.
$commentSubject (Score:2)
Now car manufacturers are following the lead of traditional software companies: They are hiring hackers to help improve the security of their car systems. Think about that the next time you’re at a dealership, tempted by the model with the best Wi-Fi.
What is this nonsense?! Smart IoT-clouding everything is the way of the future! I have to be able to dispense ice from my fridge with an app!
Hey, where's the apps guy when you need him? Her?
Re: (Score:2)
Hey, where's the apps guy when you need him? Her?
Can't get out of the bathroom. His phone died.