Entries Tagged "hoaxes"

Page 4 of 6

Attackers Exploiting Security Procedures

In East Belfast, burglars called in a bomb threat. Residents evacuated their homes, and then the burglars proceeded to rob eight empty houses on the block.

I’ve written about this sort of thing before: sometimes security procedures themselves can be exploited by attackers. It was Step 4 of my “five-step process” from Beyond Fear (pages 14-15). A national ID card make identity theft more lucrative; forcing people to remove their laptops at airport security checkpoints makes laptop theft more common.

Moral: you can’t just focus on one threat. You need to look at the broad spectrum of threats, and pay attention to how security against one affects the others.

Posted on April 30, 2007 at 12:27 PMView Comments

Social Engineering Notes

This is a fantastic story of a major prank pulled off at the Super Bowl this year. Basically, five people smuggled more than a quarter of a ton of material into Dolphin Stadium in order to display their secret message on TV. A summary:

Just days after the Boston bomb scare, another team of Boston-based pranksters smuggled and distributed 2,350 suspicious light-up devices into the Super Bowl. Due to its attractiveness as a terrorist target, Dolphin Stadium was on a Level One security alert, a level usually reserved for Presidential inaugurations. By posing as media reporters, the pranksters were able to navigate 95 boxes through federal marshals, Homeland Security agents, bomb squads, police dogs, and a five-ton X-ray crane.

Given all the security, it’s amazing how easy it was for them to become part of the security perimeter with all that random stuff. But to those of us who follow this thing, it shouldn’t be. His observations are spot on:

1. Wear a suit.
2. Wear a Bluetooth headset.
3. Pretend to be talking loudly to someone on the other line.
4. Carry a clipboard.
5. Be white.

Again, no surprise here. But it makes you wonder what’s the point of annoying the hell out of ordinary citizens with security measures (like pat down searches) when the emperor has no clothes.

Someone who crashed the Oscars last year gave similar advice:

Show up at the theater, dressed as a chef carrying a live lobster, looking really concerned.

On a much smaller scale, here’s someone’s story of social engineering a bank branch:

I enter the first branch at approximately 9:00AM. Dressed in Dickies coveralls, a baseball cap, work boots and sunglasses I approach the young lady at the front desk.

“Hello,” I say. “John Doe with XYZ Pest Control, here to perform your pest inspection.?? I flash her the smile followed by the credentials. She looks at me for a moment, goes “Uhm… okay… let me check with the branch manager…” and picks up the phone. I stand around twiddling my thumbs and wait while the manager is contacted and confirmation is made. If all goes according to plan, the fake emails I sent out last week notifying branch managers of our inspection will allow me access.

It does.

Social engineering is surprisingly easy. As I said in Beyond Fear (page 144):

Social engineering will probably always work, because so many people are by nature helpful and so many corporate employees are naturally cheerful and accommodating. Attacks are rare, and most people asking for information or help are legitimate. By appealing to the victim’s natural tendencies, the attacker will usually be able to cozen what she wants.

All it takes is a good cover story.

EDITED TO ADD (4/20): The first commenter suggested that the Zug story is a hoax. I think he makes a good argument, and I have no evidence to refute it. Does anyone know for sure?

EDITED TO ADD (4/21): Wired concludes that the Super Bowl stunt happened, but that no one noticed. Engaget is leaning toward hoax.

Posted on April 20, 2007 at 6:41 AMView Comments

Security-Related April Fool's Jokes

My favorite so far: “Window Transparency Information Disclosure.”

An information disclosure attack can be launched against buildings that make use of windows made of glass or other transparent materials by observing externally-facing information through the window.

There’s also “Technology retrieves sounds in the wall“:

Every wall in a room is made up of millions and millions of atoms. Each atom is a collection of electrons, protons and neutrons – all electrically charged and constantly moving.

When anyone inside the four walls of a room speaks, the sound carries energy that travels in waves and hits the walls. When this voice energy hits the atoms in a wall the electrons and protons are disturbed.

Each word spoken hits the atoms with a different energy level and disturbs the atoms differently.

Scientists have worked on the software and technology that can measure how each atom has been disturbed and match each unique disturbance with a unique word.

The technology virtually “replays” the sequence of words that have been spoken inside the walls. It’s like rewinding a tape recorder and you can go as far back in history as you want.

If you find any others, please post them in the comments. This is the canonical list of April Fool’s jokes on the web.

EDITED TO ADD (4/1): “Threat Alert” Jesus.

EDITED TO ADD (4/2): And this by Jim Harper.

Posted on April 1, 2007 at 11:23 AMView Comments

Real-World Social Engineering Crime

Classic:

Late on Monday, two thieves used a swipe card to drive a van up to Easynet’s Brick Lane headquarters. Once inside they began loading equipment into their van. They were watched by two security guards—one was doing his rounds and the other watched by CCTV—but both assumed the thieves, with their legitimate swipe cards also had a legitimate reason to take the kit, according to our sources.

EDITED TO ADD (11/25): Here’s another story (link in Turkish). The police receive an anonymous emergency call from someone claiming to have planted an explosive in the Haydarpasa Numune Hospital. They evaculate the hospital (100 patients plus doctors, staff, visitors, etc.) and search the place for two hours. They find nothing. When patients and visitors return, they realize that their valuables were stolen.

Posted on October 24, 2006 at 2:13 PMView Comments

Firefox JavaScript Flaw: Real or Hoax?

Two hackers—Mischa Spiegelmock and Andrew Wbeelsoi—have announced a flaw in Firefox’s JavaScript:

An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer’s Mac OS X and Linux, they said.

More interesting was this piece:

The hackers claim they know of about 30 unpatched Firefox flaws. They don’t plan to disclose them, instead holding onto the bugs.

Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla’s bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets.

“I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets,” Ruderman said.

The two hackers laughed off the comment. “It is a double-edged sword, but what we’re doing is really for the greater good of the Internet. We’re setting up communication networks for black hats,” Wbeelsoi said.

Sounds pretty bad? But maybe it’s all a hoax:

Spiegelmock, a developer at Six Apart, a blog software company in San Francisco, now says the ToorCon talk was meant “to be humorous” and insists the code presented at the conference cannot result in code execution.

Spiegelmock’s strange about-face comes as Mozilla’s security response team is racing to piece together information from the ToorCon talk to figure out how to fix the issue.

[…]

On the claim that there are 30 undisclosed Firefox vulnerabilities, Spiegelmock pinned that entirely on co-presenter Wbeelsoi. “I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not. I apologize to everyone involved, and I hope I have made everything as clear as possible,” Spiegelmock added.

I vote: hoax, with maybe some seeds of real.

Posted on October 4, 2006 at 7:04 AMView Comments

Antiterrorism Expert Claims to Have Smuggled Bomb onto Airplane Twice

I don’t know how much of this to believe.

A man wearing a jacket and carrying a bag was able to sneak a bomb onto a flight from Manila to Davao City last month at the height of the nationwide security alert after Britain uncovered a plot to blow up transatlantic planes.

The man pulled off the same stunt on the return flight to Manila.

Had he detonated the bomb, he would have turned the commercial plane into a fireball and killed himself, the crew and hundreds of other passengers.

The man turned out to be a civilian antiterrorism expert tapped by a government official to test security measures at Philippine airports after British police foiled a plan to blow up US-bound planes in midair using liquid explosives.

In particular, if he actually built a working bomb in an airplane lavatory, he’s an idiot. Yes, C4 is stable, but playing with live electrical detonators near high-power radios is just stupid. On the other hand, bringing everything through security and onto the plane is perfectly plausible. Security is so focused on catching people with lipstick and shampoo that they’re ignoring actual threats.

EDITED TO ADD (9/3): More news.

EDITED TO ADD (9/8): The “expert” is Samson Macariola, and he has recanted.

Posted on September 1, 2006 at 12:41 PMView Comments

New Anonymous Browser

According to Computerworld and InfoWorld, there’s a new Web browser specifically designed not to retain information.

Browzar automatically deletes Internet caches, histories, cookies and auto-complete forms. Auto-complete is the feature that anticipates the search term or Web address a user might enter by relying on information previously entered into the browser.

I know nothing else about this. If you want, download it here.

EDITED TO ADD (9/1): This browser seems to be both fake and full of adware.

Posted on September 1, 2006 at 8:23 AMView Comments

Printer Security

At BlackHat last week, Brendan O’Connor warned about the dangers of insecure printers:

“Stop treating them as printers. Treat them as servers, as workstations,” O’Connor said in his presentation on Thursday. Printers should be part of a company’s patch program and be carefully managed, not forgotten by IT and handled by the most junior person on staff, he said.

I remember the L0pht doing work on printer vulnerabilities, and ways to attack networks via the printers, years ago. But the point is still valid and bears repeating: printers are computers, and have vulnerabilities like any other computers.

Once a printer was under his control, O’Connor said he would be able to use it to map an organization’s internal network—a situation that could help stage further attacks. The breach gave him access to any of the information printed, copied or faxed from the device. He could also change the internal job counter—which can reduce, or increase, a company’s bill if the device is leased, he said.

The printer break-in also enables a number of practical jokes, such as sending print and scan jobs to arbitrary workers’ desktops, O’Connor said. Also, devices could be programmed to include, for example, an image of a paper clip on every print, fax or copy, ultimately driving office staffers to take the machine apart looking for the paper clip.

Getting copies of all printed documents is definitely a security vulnerability, but I think the biggest threat is that the printers are inside the network, and are a more-trusted launching pad for onward attacks.

One of the weaknesses in the Xerox system is an unsecured boot loader, the technology that loads the basic software on the device, O’Connor said. Other flaws lie in the device’s Web interface and in the availability of services such as the Simple Network Management Protocol and Telnet, he said.

O’Connor informed Xerox of the problems in January. The company did issue a fix for its WorkCentre 200 series, it said in a statement. “Thanks to Brendan’s efforts, we were able to post a patch for our customers in mid-January which fixes the issues,” a Xerox representative said in an e-mailed statement.

One of the reasons this is a particularly nasty problem is that people don’t update their printer software. Want to bet approximately 0% of the printer’s users installed that patch? And what about printers whose code can’t be patched?

EDITED TO ADD (8/7): O’Connor’s name corrected.

Posted on August 7, 2006 at 10:59 AMView Comments

Paris Bank Hack at Center of National Scandal

From Wired News:

Among the falsified evidence produced by the conspirators before the fraud unraveled were confidential bank records originating with the Clearstream bank in Luxembourg, which were expertly modified to make it appear that some French politicians had secretly established offshore bank accounts to receive bribes. The falsified records were then sent to investigators, with enough authentic account information left in to make them appear credible.

Posted on July 17, 2006 at 6:42 AMView Comments

1 2 3 4 5 6

Sidebar photo of Bruce Schneier by Joe MacInnis.