Securing the Nest Thermostat
A group of hackers are using a vulnerability in the Nest thermostat to secure it against Nest’s remote data collection.
Page 410
Fingerprinting Computers By Making Them Draw Images
Here’s a new way to identify individual computers over the Internet. The page instructs the browser to draw an image. Because each computer draws the image slightly differently, this can be used to uniquely identify each computer. This is a big deal, because there’s no way to block this right now.
EDITED TO ADD (7/22): This technique was first described in 2012. And it seems that NoScript blocks this. Privacy Badger probably blocks it, too.
EDITED TO ADD (7/23): EFF has a good post on who is using this tracking system—the White House is—and how to defend against it.
And a good story on BoingBoing.
Friday Squid Blogging: Squid Dissection
A six-hour video of a giant squid dissection from Auckland University of Technology.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
NASDAQ Hack
Long article on a sophisticated hacking of the NASDAQ stock exchange.
US National Guard is Getting Into Cyberwar
The Maryland Air National Guard needs a new facility for its cyberwar operations:
The purpose of this facility is to house a Network Warfare Group and ISR Squadron. The Cyber mission includes a set of capabilities, expertise to enable the cyber operational need for an always-on, net-speed awareness and integrated operational response with global reach. It enables operators to drive upstream in pursuit of cyber adversaries, and is informed 24/7 by intelligence and all-source information.
Is this something we want the Maryland Air National Guard to get involved in?
Hackers Steal Personal Information of US Security-Clearance Holders
The article says they were Chinese but offers no evidence:
The intrusion at the Office of Personnel Management was particularly disturbing because it oversees a system called e-QIP, in which federal employees applying for security clearances enter their most personal information, including financial data. Federal employees who have had security clearances for some time are often required to update their personal information through the website.
This is a big deal. If I were a government, trying to figure out who to target for blackmail, bribery, and other coercive tactics, this would be a nice database to have.
Security Against Traffic Analysis of Cloud Data Access
Here’s some interesting research on foiling traffic analysis of cloud storage systems.
Risks of Keyloggers on Public Computers
Brian Krebs is reporting that:
The U.S. Secret Service is advising the hospitality industry to inspect computers made available to guests in hotel business centers, warning that crooks have been compromising hotel business center PCs with keystroke-logging malware in a bid to steal personal and financial data from guests.
It’s actually a very hard problem to solve. The adversary can have unrestricted access to the computer, especially hotel business center computers that are often tucked away where no one else is looking. I assume that if someone has physical access to my computer, he can own it. This is doubly true if he has hardware access.
Legal Attacks Against Tor
Last week, we learned that the NSA targets people who look for information about Tor. A few days later, the operator of a Tor exit node in Austria has been found guilty as an accomplice, because someone used his computer to transmit child porn. Even more recently, Tor has been named as a defendant in a revenge-porn suit in Texas because it provides web-porn operators with privacy.
Here’s the EFF: “Seven Things You Should Know About Tor.”
EDITED TO ADD (7/16): It seems that article about Tor in Austria was wrong.
GCHQ Catalog of Exploit Tools
The latest Snowden story is a catalog of exploit tools from JTRIG (Joint Threat Research Intelligence Group), a unit of the British GCHQ, for both surveillance and propaganda. It’s a list of code names and short descriptions, such as these:
GLASSBACK: Technique of getting a targets IP address by pretending to be a spammer and ringing them. Target does not need to answer.
MINIATURE HERO: Active skype capability. Provision of real time call records (SkypeOut and SkypetoSkype) and bidirectional instant messaging. Also contact lists.
MOUTH: Tool for collection for downloading a user’s files from Archive.org.
PHOTON TORPEDO: A technique to actively grab the IP address of MSN messenger user.
SILVER SPECTOR: Allows batch Nmap scanning over Tor.
SPRING BISHOP: Find private photographs of targets on Facebook.
ANGRY PIRATE: is a tool that will permanently disable a target’s account on their computer.
BUMPERCAR+: is an automated system developed by JTRIG CITD to support JTRIG BUMPERCAR operations. BUMPERCAR operations are used to disrupt and deny Internet-based terror videos or other materials. The techniques employs the services provided by upload providers to report offensive materials.
BOMB BAY: is the capacity to increase website hits/rankings.
BURLESQUE: is the capacity to send spoofed SMS messages.
CLEAN SWEEP: Masquerade Facebook Wall Posts for individuals or entire countries.
CONCRETE DONKEY: is the capacity to scatter an audio message to a large number of telephones, or repeatedely bomb a target number with the same message.
GATEWAY: Ability to artificially increase traffic to a website.
GESTATOR: amplification of a given message, normally video, on popular multimedia websites (Youtube).
SCRAPHEAP CHALLENGE: Perfect spoofing of emails from Blackberry targets.
SUNBLOCK: Ability to deny functionality to send/receive email or view material online.
SWAMP DONKEY: is a tool that will silently locate all predefined types of file and encrypt them on a targets machine
UNDERPASS: Change outcome of online polls (previously known as NUBILO).
WARPATH: Mass delivery of SMS messages to support an Information Operations campaign.
HAVLOCK: Real-time website cloning techniques allowing on-the-fly alterations.
HUSK: Secure one-on-one web based dead-drop messaging platform.
There’s lots more. Go read the rest. This is a big deal, as big as the TAO catalog from December.
I would like to post the entire list. If someone has a clever way of extracting the text, or wants to retype it all, please send it to me.
EDITED TO ADD (7/16): HTML of the entire catalog is here.
Sidebar photo of Bruce Schneier by Joe MacInnis.