Hugh Pickens writes writes: "Christopher Williams reports that Frank Abagnale, the celebrated con man, confidence trickster, check forger, impostor, and escape artist portrayed in the Steven Spielberg film 'Catch Me If You Can,' warns that data posted on Facebook is an open invitation to identity thieves. "If you tell me your date of birth and where you're born [on Facebook] I'm 98 per cent [of the way] to stealing your identity," says Abagnale who escaped from police custody twice, once from a taxiing airliner and once from a US federal penitentiary, before he was 21 years old. "Never state your date of birth and where you were born [on personal profiles], otherwise you are saying 'come and steal my identity'." Abagnale, who now works as a security consultant, was the target of a US federal manhunt in the 1960s as he posed as an airline pilot, doctor and attorney to steal millions of dollars. “What I did 40 years ago as a teenage boy is 4,000 times easier now,” says Abagnale who urged Facebook members to educate themselves and their children about the risks of giving away personal information online. “I have three sons on [Facebook]. I totally understand why people like it. But like every technology you have to teach children, it is an obligation of society to teach them how to use it carefully.”"
Hugh Pickens writes writes: "Nate Anderson has an-depth article in Ars Technica about remote administration tools (RAT) and "ratters," young men who invade someone's machine, rifle through their personal files, and silently watch them from behind their own screen. Many operate quite openly online in public forums like "Hack Forum," sharing the best techniques for picking up new "female slaves." "Most of my slaves are boring," writes one aspiring ratter. "Wish I could get some more girls with webcams. It makes it more exciting when you can literally spy on someone. Even if they aren't getting undressed!" RAT tools aren't new; the hacker group Cult of the Dead Cow famously released an early one called BackOrifice at the Defcon hacker convention in 1998 but today a cottage industry exists to build sophisticated RAT tools like BlackShades to control dozens or even hundreds of remote computers. Building an army of slaves isn't particularly complicated either; ratters simply need to trick their targets into running a file. This is commonly done by seeding file-sharing networks with infected files and naming them after popular songs or movies. One of the biggest problems ratters face is the increasing prevalence of webcam lights that indicate when the camera is in use. Entire threads are devoted to bypassing the lights, which routinely worry RAT victims and often lead to the loss of slaves. To combat detection, ratters compile lists of laptop models which don't have webcam lights and then taking special pains to verify the make and model of slave laptops to see if they are on the list. RATs aren't going away, despite the occasional intervention of the authorities. Too many exist, plenty of them are entirely legal, and source code is in the wild. If you are unlucky enough to have your computer infected with a RAT, prepare to be sold or traded to the kind of person who enters forums to ask, "Can I get some slaves for my rat please? I got 2 bucks lol I will give it to you:b" At that point, the indignities you will suffer—and the horrific website images you may see—will be limited only by the imagination of that most terrifying person: a 14-year-old boy with an unsupervised Internet connection."
Hugh Pickens writes writes: "BBC reports that freezing an Android phone can help reveal its confidential contents allowing researchers to get at contact lists, browsing histories and photos of phones protected by the data scrambling system with the version of Android known as Ice Cream Sandwich. Researchers Tilo Muller, Michael Spreitzenbarth and Felix Freiling from FAU first put Android phones in a freezer for an hour until the device had cooled to below -10C then discovered that quickly connecting and disconnecting the battery of a frozen phone forced the handset into a vulnerable mode. This loophole let them start it up with some custom-built software rather than its onboard Android operating system. The researchers dubbed their custom code Frost — Forensic Recovery of Scrambled Telephones. The researchers tested their attack against a Samsung Galaxy Nexus handset as it was one of the first to use Android's disk encryption system. While the "cold boot" attack had been tried on desktop PCs and laptops this was the first group to try it on phones. "We thought it would work because smartphones are really small PCs," says Tilo Muller. "but we were quite excited that the trick with the freezer worked so well.""
Hugh Pickens writes writes: "The rules for papal elections are steeped in tradition. John Paul II last codified them in 1996, and Benedict XVI left the rules largely untouched. The "Universi Dominici Gregis on the Vacancy of the Apostolic See and the Election of the Roman Pontiff" is surprisingly detailed. Now as the College of Cardinals prepares to elect a new pope, security people like Bruce Schneier wonder about the process. How does it work, and just how hard would it be to hack the vote? First, the system is entirely manual, making it immune to the sorts of technological attacks that make modern voting systems so risky. Second, the small group of voters — all of whom know each other — makes it impossible for an outsider to affect the voting in any way. The chapel is cleared and locked before voting. No one is going to dress up as a cardinal and sneak into the Sistine Chapel. In short, the voter verification process is about as good as you're ever going to find. A cardinal can't stuff ballots when he votes. Then the complicated paten-and-chalice ritual ensures that each cardinal votes once — his ballot is visible — and also keeps his hand out of the chalice holding the other votes. Ballots from previous votes are burned, which makes it harder to use one to stuff the ballot box. What are the lessons here? First, open systems conducted within a known group make voting fraud much harder. Every step of the election process is observed by everyone, and everyone knows everyone, which makes it harder for someone to get away with anything. Second, small and simple elections are easier to secure. This kind of process works to elect a pope or a club president, but quickly becomes unwieldy for a large-scale election. And third: When an election process is left to develop over the course of a couple of thousand years, you end up with something surprisingly good."
Hugh Pickens writes writes: "The Gurdian reports that the US nuclear weapons laboratory at Los Alamos that was the birthplace of the atomic bomb has replaced at least two network switches made by H3C Technologies, based in Hangzhou, China over fears they might pose a national security risk. H3C began as a joint venture between China's Huawei Technologies and 3Com, a US tech firm, and was once called Huawei-3Com. Hewlett Packard acquired the firm in 2010. In October, the US House intelligence committee issued an investigative report that recommended government systems should not include components made by Huawei or ZTE, another Chinese manufacturer. The report said that based on classified and unclassified information, Huawei and ZTE "cannot be trusted to be free of foreign state influence" and pose "a security threat to the United States and to our systems." The company, the world's second-largest telecommunications equipment maker, denies its products pose any security risk or that the Chinese military influences its business. "There has never been a shred of substantive proof that Huawei gear is any less secure than that of our competitors, all of which rely on common global standards, supply chains, coding and manufacturing," says William Plummer, Huawei's vice president of external affairs. ""Blackballing legitimate multinationals based on country of origin is reckless, both in terms of fostering a dangerously false sense of cyber-security and in threatening the free and fair global trading system that the US has championed for the last 60-plus years."
Hugh Pickens writes writes: "Nicole Perlroth writes in the NY Times that the antivirus industry has a dirty little secret: antivirus products are not very good at stopping new viruses. Researchers collected and analyzed 82 new computer viruses and put them up against more than 40 antivirus products, made by top companies like Microsoft, Symantec, McAfee and Kaspersky Lab and found that the initial detection rate was less than 5 percent (PDF). “The bad guys are always trying to be a step ahead,” says Matthew D. Howard, who previously set up the security strategy at Cisco Systems. “And it doesn’t take a lot to be a step ahead.” Part of the problem is that antivirus products are inherently reactive. Just as medical researchers have to study a virus before they can create a vaccine, antivirus makers must capture a computer virus, take it apart and identify its “signature” — unique signs in its code — before they can write a program that removes it. That process can take as little as a few hours or as long as several years. In May, researchers at Kaspersky Lab discovered Flame, a complex piece of malware that had been stealing data from computers for an estimated five years. “The traditional signature-based method of detecting malware is not keeping up," says Phil Hochmuth. Now the thinking goes that if it is no longer possible to block everything that is bad, then the security companies of the future will be the ones whose software can spot unusual behavior and clean up systems once they have been breached. “The bad guys are getting worse,” says Matthew D. Howard. “Antivirus helps filter down the problem, but the next big security company will be the one that offers a comprehensive solution.”"
Hugh Pickens writes writes: "Michael Wilson writes in the NY Times that top intelligence officials in the New York Police Department are looking for ways to target “apolitical or deranged killers before they become active shooters" using techniques similar to those being used to spot terrorists’ chatter online. The techniques would include "cyber-searches of language that mass-casualty shooters have used in e-mails and Internet postings,” says Police Commissioner Raymond W. Kelly. “The goal would be to identify the shooter in cyberspace, engage him there and intervene, possibly using an undercover to get close, and take him into custody or otherwise disrupt his plans.” There are also plans to send officers to Newtown and to scenes of other mass shootings to collect information says the department’s chief spokesman Paul. J. Browne adding that potential tactics include creating an algorithm that would search online “for terms used by active shooters in the past that may be an indicator of future intentions.” The NYPD’s counter-terrorism division released a report last year, "Active Shooter," after studying 202 mass shooting incidents (PDF). “So, we think this is another logical step,” says Kelly."
Hugh Pickens writes writes: "In the old days, traditional computer security centered around users but Bruce Schneier writes that now some of us have pledged our allegiance to Google using Gmail, Google Calendar, Google Docs, and Android phones while others have pledged allegiance to Apple using Macintosh laptops, iPhones, iPads; and letting iCloud automatically synchronize and back up everything while others of us let Microsoft do it all. "These vendors are becoming our feudal lords, and we are becoming their vassals. We might refuse to pledge allegiance to all of them — or to a particular one we don't like. Or we can spread our allegiance around. But either way, it's becoming increasingly difficult to not pledge allegiance to at least one of them." Classical medieval feudalism depended on overlapping, complex, hierarchical relationships. Today we users must trust the security of these hardware manufacturers, software vendors, and cloud providers and we choose to do it because of the convenience, redundancy, automation, and shareability. "In this new world of computing, we give up a certain amount of control, and in exchange we trust that our lords will both treat us well and protect us from harm (PDF). Not only will our software be continually updated with the newest and coolest functionality, but we trust it will happen without our being overtaxed by fees and required upgrades." In this system, we have no control over the security provided by our feudal lords. Like everything else in security, it's a trade-off. We need to balance that trade-off. "In Europe, it was the rise of the centralized state and the rule of law that undermined the ad hoc feudal system; it provided more security and stability for both lords and vassals. But these days, government has largely abdicated its role in cyberspace, and the result is a return to the feudal relationships of yore," concludes Schneier adding that perhaps it's time for government to create the regulatory environments that protect us vassals. "Otherwise, we really are just serfs.""
Hugh Pickens writes writes: "For years lawmakers had heard warnings about holes in corporate and government systems that imperil US economic and national security. Now Ward Carroll writes that in the face of what most experts label as a potential “Cyber Pearl Harbor” threat, Republicans have stalled the Cybersecurity Act of 2012 with a Senate vote of 51–47 against the legislation drawing a quick response from the staff of Secretary of Defense Leon Panetta: “The U.S. defense strategy calls for greater investments in cybersecurity measures, and we will continue to explore ways to defend the nation against cyber threats,” says DoD spokesman George Little. “If the Congress neglects to address this security problem urgently, the consequences could be devastating.” Many Senate Republicans took their cues from the US Chamber of Commerce and businesses that framed the debate not as a matter of national security, but rather as a battle between free enterprise and an overreaching government wanting to leave companies to determine whether it would be more cost effective – absent liability laws around cyber attacks — to invest in the hardware, software, and manpower required to effectively prevent cyber attack or to simply weather attacks and fix what breaks afterwards. “Until someone can argue both the national security and the economic parts of it, you’re going to have these dividing forces,” says Melissa Hathaway, a White House cyber official in the Bush and Obama administrations. “Most likely, big industry is going to win because at the end of the day our economy is still in trouble.”"
Hugh Pickens writes writes: "Jayson E. Street dressed like a technician, walked into a bank, said he was there to measure “power fluctuations on the power circuit,” and needed to plug a small white device that looked like a power adapter onto the wall. "The power fluctuation story was total bullshit, of course," writes Robert McMillan in Wired. "Street had been hired by the bank to test out security at 10 of its West Coast branch offices." The bank, which Street isn’t allowed to name, called the test off after he’d broken into the first four branches. “After the fourth one they said, ‘Stop now please. We give up," says Street. "“At one branch, the bank manager got out of the way so I could put it behind her desk." Built by a startup company called Pwnie Express, the Pwn Plug is pretty much the last thing you ever want to find on your network — unless you’ve hired somebody to put it there. Inspired by the SheevaPlug, a miniature low-power Linux computer that looks just like a power adapter, the Pwn Plug is a tiny computer that comes preloaded with an arsenal of hacking tools. It can be quickly plugged into any computer network and then used to access it remotely from afar. The basic model costs $480, but if you’re willing to pay an extra $250 for the Elite version, you can connect it over the mobile wireless network. “The whole point is plug and pwn,” says Dave Porcello, Pwnie Express’s CEO. “Walk into a facility, plug it in, wait for the text message. Before you even get to the parking lot you should know it’s working.”"
Hugh Pickens writes writes: "Candace Jackson writes that an increasing number of home builders and buyers are looking for a new kind of security: homes equipped to handle everything from hurricanes, tornados and hybrid superstorms like this week's Sandy, to man-made threats ranging from home invasion to nuclear war and fueling the rise of these often-fortresslike homes are new technologies and building materials—which builders say will ultimately be used on a more widespread basis in storm- and earthquake-threatened areas. For example, Alys Beach, a 158-acre luxury seaside community on Florida's Gulf Coast, have earned the designation of Fortified...for safer living® homes and are designed to withstand strong winds. The roofs have two coats of limestone and exterior walls have 8 inches of concrete, reinforced every 32 inches for "bunkerlike" safety, according to marketing materials. Other builders are producing highly hurricane-proof residences that are circular in shape with "radial engineering" wherein roof and floor trusses link back to the home's center like spokes on a wheel, helping to dissipate gale forces around the structure with Deltec, a North Carolina–based builder, saying it has never lost a circular home to hurricanes in over 40 years of construction. But Doug Buck says some "extreme" building techniques don't make financial sense. "You get to a point of diminishing returns," says Buck. "You're going to spend so much that honestly, it would make more sense to let it blow down and rebuild it.""
Hugh Pickens writes writes: "In 2007 businessman Russell Thornton lost his 3-year-old son at an amusement park. After a frantic 45-minute search, Thornton found the boy hiding in a play structure, but he was traumatized by the incident, and it spurred him to build a device that would help other parents avoid that fate. Even though most statistics show that rates of violent crime against children have declined significantly over the last few decades, and that abductions are extremely rare, KJ Dell’Antonia writes that with the array of new gadgetry like Amber Alert and the Securus eZoom our children need never experience the fears that come with momentary separations, or the satisfaction of weathering them. "You could argue that those of us who survived our childhoods of being occasionally lost, then found, are in the position of those who think car seats are overkill because they suffered no injury while bouncing around in the back of their uncle’s pickup," writes Dell’Antonia. "Wouldn’t a more powerful sense of security come from knowing your children were capable, and trusting in their ability to reach out for help at the moment when they realize they’re not?""
Hugh Pickens writes writes: "Neal Ungerleider writes about PlaceRaider, a trojan that can run in the background of any phone running Android 2.3 or above, and is hidden in a photography app that gives PlaceRaider the necessary permissions to access the camera and upload images. Once installed, PlaceRaider quietly takes pictures at random that are tagged with the time, location, and orientation of the phone while muting the phone's shutter sound. Once pictures are taken, PlaceRaider uploads them to a central server where they are knitted together into a 3D model of the indoor location where the pics were taken. A malicious user can then browse this space looking for objects worth stealing and sensitive data such as credit card details, identity data or calender details that reveal when the user might be away. If a user's credit card, bank information, or personal information happen to be out in the open — all the better. — the software can identify financial data, bar codes, and QR codes. End users will also be able to get the full layout of a victim's office or room. The good news? PlaceRaider isn't out in the wild yet. The malware was built as an academic exercise by a team at Indiana University as a proof of concept to show the invasive potential of visual malware beyond simple photo or video uploads and demonstrate how to turn an individual's mobile device against himself (PDF), creating an advanced surveillance platform capable of reconstructing the user's physical environment for exploration and exploitation. "The message is clear — this kind of malware is a clear and present danger. It's only a matter of time before this game of cat and mouse becomes more serious.""
Hugh Pickens writes writes: "The Telegraph reports that security researcher Ravi Borgaonkar, demonstrated code, now circulating freely online and comprising just 11 digits and symbols, that can be embedded in HTML code that will wipe some Galaxy S3's, Samsung's flagship Android smartphones and restore the phone to its factory settings without permission. The whole attack takes just two or three seconds and once launched there is nothing a Samsung owner can do to stop it, Borgaonkar says. The demonstration drew gasps and applause from assembled security experts at a computer security conference in Argentina and raises the threat that malicious hackers could trick Samsung smartphone owners into wiping gigabytes of data, simply by clicking a link. Borgaonkar says he has uncovered more codes built into Samsung devices that could be used in says attacks but says he did not want to reveal them because they could be useful to criminals. One code will “kill the SIM card and that the only way to guard against the attacks is to switch off "service loading" in settings, and disable QR code and NFC apps. Pau Oliva, a Spanish telecoms engineer and security blogger who tested the attack, demanded to know “what were Samsung engineers smoking when they set a code to do a factory reset?” Teri Daley, senior director of public relations at Samsung, said in an interview that the company had found that the problem was addressed in a software update issued months ago, so only customers using older versions of the software would be vulnerable and that the company was now trying to determine the specific models and software versions that were affected by the vulnerability."