(click to enlarge)
Monday, April 29, 2013
INFOGRAPHIC: Twacked! When good Twitter accounts go bad.
(click to enlarge)
Saturday, March 16, 2013
VIDEO: Security Threats by the Numbers - Cisco 2013 Annual Security Report
The kind folks at Cisco published their Annual Security Report. What I like about what they did is they chose to publish in a video infographic format. As you can tell, I'm a HUGE fan of infographics. However, if you're a stickler for PDF reports, I'll have a link below the video of the entire report.
- Global cloud traffic will increase sixfold over the next five years, growing at a rate of 44 percent from 2011 to 2016.
- Only one in five respondents say their employers do track their online activities on company-owned devices, while 46 percent say their employers do not track activity.
- 90 percent of IT professionals surveyed say they do indeed have policies that prohibit company-issued devices being used for personal online activity—although 38 percent acknowledge that employees break policy and use devices for personal activities in addition to doing work.
- Cisco’s research shows significant change in the global landscape for web malware encounters by country in 2012. China, which was second on the list in 2011 for web malware encounters, fell dramatically to sixth position in 2012. Denmark and Sweden now hold the third and fourth spots, respectively. The United States retains the top ranking in 2012, as it did in 2011, with 33 percent of all web malware encounters occurring via websites hosted in the United States.
Saturday, February 2, 2013
INFOGRAPHIC: Everything You Ever Wanted To Know About Facebook Security
Thursday, January 31, 2013
Monday, December 17, 2012
HACKED: Anonymous Keeps Its Word and Pwns Westboro Baptist Church
As I reported yesterday, the hacker consortium known as Anonymous has targeted the members of Westboro Baptist Church. The church announced, after the tragic events of 12/14/2012, it would be picketing the funerals of the victims. Anonymous, along with the rest of the world, took this a bit personal and announced it would be lashing back. It began with a release of personal information on Westboro Baptist Church members and leaders. Most recently they decided to hack the church's spokesperson's Twitter account and the resulting Tweets have provided an insight into how the "hacktivist" organization may have found some redemption.
Check out the "tweets" from @DearShirley - the account hacked by Anonymous.
This account is now being ran by @cosmothegod #UGNazi #oops
— Cosmo (@DearShirley) December 17, 2012
Sorry, Shirley isn't available at the moment. #hehe twitter.com/DearShirley/st…
— Cosmo (@DearShirley) December 17, 2012
@dearshirley @cosmothegod epic hack against some sick fuckers picketing murdered children's funerals. #westborobaptistcunts
— Dave Plank (@PlankDave) December 17, 2012
The internet wins today. @cosmothegod hacked @dearshirley, that horrible woman from WBC. Faith in humanity is slowing returning. Well played
— shannon (@juststay) December 17, 2012
@dearshirley God hates ignorance you ignorant fucks! @cosmothegod thanks for havin a conscience & sense of humor! #fuckWBC #GodSentTheHacker
— Boz (@whodatginga) December 17, 2012
“@dearshirley: This account is now being ran by @cosmothegod #UGNazi #oops" Hahaha I'm not usually a fan, but these guys are growing on me.They've even called on the White House to declare Westboro Baptist Church a "hate group":
— Charles McIntosh (@xWhistlinDixieX) December 17, 2012
Everyone sign this petitions.whitehouse.gov/petition/legal… #UGNazi
— Cosmo (@DearShirley) December 17, 2012
Even politicians got in the mix:
RT @exiledsurfer Looks like #UGNazi has control of #WBC @dearshirley's twitter account. Oops.twitpic.com/bmqxaeI'll be checking out the feed some more over the next few things. It's bound to get even more interesting.
— Rep. Dan Gordon (@_RepDanGordon) December 17, 2012
Sunday, December 16, 2012
VIDEO: Wi-Fi Security by disconnecters
I found this little gem on YouTube. Give it a look. The only its certainly very interesting with the relative ease it takes to hack into Facebook and other social media sites. Here's the description from the folks at Disconnected on YouTube.
See how your Google and Facebook accounts can now be broken into through social widgets and see a new feature in Disconnect that protects you. Get Disconnect at https://disconnect.me/. Contents: 1. Wi-Fi Snooping (https://youtu.be/g5mFbgxMHqQ?t=26s) 2. Widgetjacking (https://youtu.be/g5mFbgxMHqQ?t=1m32s) 3. Disconnect Security (https://youtu.be/g5mFbgxMHqQ?t=4m10s) Disclaimer: While we think understanding how quickly and easily a nonexpert can compromise your security is important, the attack shown in this video may be considered wiretapping where you live and shouldn't be tried at home except with consent! Credits: Written by Brian Kennish Filmed and edited by Dan Kwon Animated by Brian Kennish and Dan Kwon Music (http://soundcloud.com/folkmusicforrobots/widgetjacking) written and recorded by Brian Kennish Portions filmed at Coffee Adventure in Milpitas, California (https://www.facebook.com/pages/Coffee-Adventure/361643370157)
Thursday, December 13, 2012
Cyber Defense: The facts associated with the hacker mindset
The facts associated with the hacker mindset:
- Modern computers are finite state machines – they do not “think.” Hackers are highly intelligent and well skilled at their craft. We must respect that fact.
- Information is a commodity and tradeable.
- What man can conceive – man can and will hack
- Retrofitting security onto existing platforms always fails – not withstanding that most security systems were not designed from the inside out beginning with understanding the hacker culture and methods.
- Teenagers have far more time and more energy than adults and will focus on what is cool. The good hack is very cool. Bragging rights are cool.
- While this statement was writing, attack vectors were exploited all over the world.
- In the commercial world; security is considered not a revenue generator but a revenue drain. In government, it takes second place to red tape. Too many government and business leaders are indifferent to security and at best, it is an afterthought laden with reactive vs. proactive behaviors.
- Hackers operate under a meritocracy – clue matters more than prestige and points are scored with their peers for successful hacks.
- Information has a shelf life and is subject to being exploited for hacker benefit.
- Intellectual property and sensitive data is a means for me to support my lifestyle.
Postulates of a Hacker:
- Understanding how things work is an advantage over ignorance.
- Curiosity and ego are more powerful motivators than money.
- Nationalism is more important to hackers than ‘props’ (AKA don’t hack where you live – PRC is an exception).
- Not all people are rational, therefore choices are not predictable.
- Finding flaws and vulnerabilities requires an un-structured approach, out of the box thinking. This is contrary to a U.S. Government cleared engineer who follows structured guidelines.
- Success is relative to your environment and your alcohol intake or abusive behaviors. Hackers do not follow social norms and are very self centric in behavior. It may not be disciplined but often the “hack” works.
- There are no borders on the Internet
- Accountability is an effective “deterrent” against “insecurity” – applies to you, not I. If you fire me up, I will hit (hack) you.
The Hacker’s conclusions:
- If you turn it on and connect it, they will come – and try and take it.
- It is curious how very smart and knowledgeable people will beat disciplined trained people and then watch the disciplined ones hide their failures.
- The hacker mindset is learned by experience, not by rote or title. Our status is measured on our successes, not on your GSA rating or rank.
- Capture the flag is the best paradigm for understanding security.
- The race is on to achieve the rapid penetration, not to the organized or disciplined standard or followed policy.
- Conventional defenses in “cyber” warfare are easily circumvented and those that set conventional policy are the easiest to hack.
- If someone wants to breach your security seriously or badly enough – they will.
- The best defense is one that never blinks or sleeps or needs a break, is always on and is real time. Problem is, that is a big challenge for people that have secure benefits, families, run errands for the wife, and go home on holidays and weekends. Hackers sleep only when they need to.
- Closing the barn door after the horse is gone does little good – if one program costs hundreds of millions of dollars to create innovation – and the R&D is acquired with very little work and time by an adversary, then the hack has met its goal and the owner of the R&D and his program has been compromised. It isn’t a simple task, for example, to fund and redesign a modern warfighter component that was years in the making once an enemy acquires your design.
- eCommerce is insecure – but so is regular commerce including banking (lead pipe rule)
- Advancing and emerging hacker technology always defeats information security policies.
- Risk analysis matters more than policies and compliance – stopping an attacker in their tracks on the next hack is far more important that compliance.
- There is no accountability for poor security – only excuses.
- Competent adversaries exist and are growing in ranks (ATM hacks, Heartland, etc.) Cyber threats are increasing not decreasing.
- Confidentiality is a function of time and energy.
- Bureaucracies are threatened by people who want to know how things work and hackers demand the right to know.
Monday, December 10, 2012
Cybersecurity | Senator Lieberman speaks before Senate about the need for cybersecurity legislation by JoeLieberman
Senator Feinstein on Cybersecurity by SenatorFeinstein
Sunday, December 2, 2012
South Carolina Governor Discusses Cyber Intrusion by ThePentagonChannel
Tuesday, November 20, 2012
The Power of Sound In Security
So, I don't have my hover-board nor my flying car. However, we have seen numerous technological feats within the security industry. Whether it be BRS Labs' use of artificial intelligence to "learn" and detect human behavior via CCTV feeds or the ever-changing world of biometrics, we have witnessed some very interesting and promising tech tools for the industry. Some of them we have featured here at The Security Dialogue. The other day I came across the Twitter feed for Audio Analytics, a UK-based company which has developed a new dimension to the electronic security world.
Being the curious soul that I am, I contacted Audio Analytics about an interview to learn more about their products. I spoke with Dr. Christopher Mitchell (PhD), Audio Analytics's CEO and Founder. Going over his LinkedIn profile and other information I gathered from the Internet, I was drawn to Dr. Mitchell's extensive knowledge of sound information and signal processing. He's received training at Harvard and a NCGE Fellow. I digress.
What surprised me about was the breadth of sound the software can detect. Dr. Mitchell said it currently looks for sound in four categories - glass breaks, signs of aggression, car alarms, and gun shots. As you can imagine, glass breaks, gun shots, and car alarms didn't trigger as much interest as "aggression". We've seen glass breaks and gun shot detection in various forms. In law enforcement, ShotSpotter has become the latest in a growing use of sound analysis technologies. When asked how they detect for "aggression", Dr. Mitchell stated they look for changes in pitch mostly and sounds attributed to aggressive behavior. Applications where you might see this deployed are lone workers, hospitals, convenience stores, and other places where any sign of aggressive behavior would need to be detected and mitigated as soon as possible.
Speaking of deployments, given the vast array of sounds Audio Analytic could possibly detect with applicable algorithms, it is not surprising to imagine the customers and applications extend far beyond the traditional security realm. When pressed about this, Dr. Mitchell was quick to inform me they had been contacted by various entities who also recognize its potential and whose specific requests could not be discussed.
Like all analytics, this is purely software that would need to be integrated with existing hardware designed to capture both sound and video. A company who has already integrated many of Audio Analytics' features is Next Level Security Systems an integrator offering a full suite of security services. NLSS' Gateway Security Platform provides "Audio Analytic with Glass Break Analytic and optional Gunshot, Aggression and Car Alarm packages", among a slew of other features.
Overall, I am quite impressed with what I see being developed in analytics and Audio Analytic's software is no exception. I can only imagine its applications and deployments as it continues to develop. One of the greatest problems we face in security are false alarms. Audio Analytic has the ability look deeper into the environments we protect and aid us in determining more accurately the difference between the benign and an actual threat. Dr. Mitchell said it best, "In the security world, we have affection for silent movies". Perhaps it's time we move on. As I stated before with BRS Labs, I have seen the future and it's now.
Wednesday, December 14, 2011
What happens online - NEVER stays there....
- The information you see below is not stored on our site and is only visible to you. I found this site while looking for resources on background check (mostly locating skips).
- The information was allocated using information (i.e. torrent files you downloaded, IP address) your computer provided when you, someone in your home, or someone who gained access to your WiFi network downloaded those files.
- I am publishing this tool with the hope people will gain a better insight into how their activities can and are being monitored on the Web via information they provide sometimes unknowingly.
- There is a removal tool. However, it only removes your information from their site. I HIGHLY, HIGHLY, HIGHLY suggest you use it and never have a need for it again.
Wednesday, November 30, 2011
HOT!!:: FREE ONLINE CRYPTO CLASS AT STANFORD
So when Ivy League schools give FREE classes in cryptography, I don't waste any time in signing up. Looks like Stanford University is doing just that.
Here's some info direct from the FAQ section:
When does the class start?
The class will start in January 2012.
What is the format of the class?The class will consist of lecture videos, which are broken into small chunks, usually between eight and twelve minutes each. Some of these may contain integrated quiz questions. There will also be standalone quizzes that are not part of video lectures, and programming assignments. There will be approximately two hours worth of video content per week.
Will the text of the lectures be available?
We hope to transcribe the lectures into text to make them more accessible for those not fluent in English. Stay tuned.
Do I need to watch the lectures live?No. You can watch the lectures at your leisure.
Can online students ask questions and/or contact the professor?Yes, but not directly There is a Q&A forum in which students rank questions and answers, so that the most important questions and the best answers bubble to the top. Teaching staff will monitor these forums, so that important questions not answered by other students can be addressed.
Will other Stanford resources be available to online students?No.
How much programming background is needed for the course?The course includes programming assignments and some programming background will be helpful. However, we will hand out lots of starter code that will help students complete the assignments. We will also point to online resources that can help students find the necessary background.
What math background is needed for the course?
The course is mostly self contained, however some knowledge of discrete probability will be helpful. Thewikibooks article on discrete probability should give sufficient background.
How much does it cost to take the course?Nothing: it's free!
Will I get university credit for taking this course?No.The course is being taught by Professor Dan Boneh who heads the applied cryptography group at the Computer Science department at Stanford University. Professor Boneh's research focuses on applications of cryptography to computer security. His work includes cryptosystems with novel properties, web security, security for mobile devices, digital copyright protection, and cryptanalysis. He is the author of over a hundred publications in the field and a recipient of the Packard Award, the Alfred P. Sloan Award, and the RSA award in mathematics. Last year Dr. Boneh received the Ishii award for industry education innovation. Professor Boneh received his Ph.D from Princeton University and joined Stanford in 1997.
Here's another look at the link for the class:
http://www.crypto-class.org/
Monday, October 3, 2011
My, how times have changed....Haven't they????....
Sunday, September 11, 2011
Ummm...I think it's safe to say someone might get fired for this one....
Thursday, May 22, 2008
Time for a Product Review - IronKey
I'm avid user of encryption so I have a slightly above basic understanding of how encryption works. Looking into the product, my first impression was that it was just another USB drive with the software on it. Nope. This thing has the encryption on its RAM chip - embedded. To say the least, I was impressed. The casing is almost indestructible without destroying the chips inside. It even has an aluminum backing which you use to engrave you signature in pen - very thin overcoat. It also has a serial number.
To make it sound even cooler - would you believe this thing has a self-destruct sequence? I'm not talking about Mission Impossible countdowns, but it only gives you ten tries to guess the wrong passphrase and then it destroys your data to include the encryption making the drive useless. I love this thing. I HIGHLY recommend this product. Did I forget to mention that IronKey also has its own TOR router with FireFox preloaded? Very cool!
Chinese Really Dig Cyberwarfare...You Think?
"The People's Republic of China has concentrated primarily on cyber-reconnaissance, particularly data mining, rather than cyberattacks."
What about all of the attacks originating from China we've been reading about? Don't fret. The Chinese have set a goal of 2050 to achieve "electronic dominance" through attacks on information infrastructure.
The DoD won't come out and say the world's second largest econoomy is vying for supremacy through hacking, it did note "a 31percent increase in malicious activity on its networks from 2006 to 2007." What attraction does cyberwarfare have fo such a country as China? It provide anonymity and an "asymetrical advantage", according to Dr. James Mulvenon, director of advanced studies and analysis for Defense Group, Inc..
Commission Co-chairman Peter T.R. Brookest cited attacks last spring on Estonia recalling that it wanted to evoke the collective defense clause of the NATO Charter and said "this is a question of escalation" moving from non-conventional to conventional, i.e. military, responses.
Mulvenon said there's no reason why the United States should restrict itself to trying to deter cyberattacks electronically. His next remark should sound familiar.
"We should ... begin with the premise that we have all the tools of ... national power, and in many cases it might not be to the U.S. advantage to respond to an electronic or cyberintrusion or cyberattack simply in that realm," he said. "We may, in fact, want to take advantage of escalation dominance that we have in other elements of national power, whether it’s military or economic."
CyberCommand anyone? What about this little tidbit from the article?
The nasty Cisco routers are keep creeping back into the blogosphere. For more information from Security Management, click here.Michael R. Wessel said he fears that the perimeter security methods such as routers and firewalls used to protect against network intrusion are produced overseas, increasingly in China." Can we in fact have a secure perimeter," he wondered, "if in fact the Chinese are helping to build that perimeter?"
Tuesday, May 20, 2008
A new kind of war to fight....
Looks like the US Air Force Cyber Command is looking to establish the same level of superiority the Air Force has in the skies as it wants in cyberspace. The Cyber Command wants a new set of "hacker" tools to engage in both offensive and defensive attacks against cyber-based threats which pose a risk to American interests. No word yet on where the headquarters will be. As we hear more and more in the news about the growing murky criminal/hostile terrain that exists online, I suspect we'll see more justification for such units to exists. China has their own unit dedicated to this. Why not us?