Skip to content

Category: Hackerterrorcybercyber

Seized pacemaker data used to indict arsonist

Image: LukeBam06

According to NetworkWorld, a man in Ohio with an implanted Pacemaker, was indicted as an arsonist, based on data seized by the Police from his device.

»[T]he cops wanted to know “Compton’s heart rate, pacer demand and cardiac rhythms before, during and after the fire.”« reports a local station, WLWT5.

Another news outlet reports »“A cardiologist who reviewed that data determined ‘it is highly improbable Mr. Compton would have been able to collect, pack and remove the number of items from the house, exit his bedroom window and carry numerous large and heavy items to the front of his residence during the short period of time he has indicated due to his medical conditions.’”« The retrieved data helped to indict Comption, who also had gasoline on various pieces of his clothing.

Leave a Comment

Disable Your Antivirus Software (Except Microsoft’s)

Robert O’Callahan explains in a blog article and an even more interesting link how Antivirus Software breaks Firefox (and many other pieces of software).

Among that horror stories such as

For example, back when we first made sure ASLR was working for Firefox on Windows, many AV vendors broke it by injecting their own ASLR-disabled DLLs into our processes.

 

and many more.The advice is

Antivirus software vendors are terrible; don’t buy antivirus software, and uninstall it if you already have it (except, on Windows, for Microsoft’s).

(Written on Mac OS 10.11.6, because…)

Leave a Comment

Google starts a root CA

A certificate as seen in a network debugger

In order to communicate securely over an encrypted channel, both parties do not just have to agree on a common set of crypto keys, they also need to prove to each other that they are who they claim to be. If they do not, it is very easy for an attacker to mount a Man in the Middle attack.

The thing that is used on the web and elsewhere to prove identity are certificates, and because no one can know all certificates, certificate authorities are acting as trusted passport bureaus of the Internet. In theory.

In practice, that did not work out so well.

3 Comments

What data does WhatsApp collect

Hangout opens.

S: Good morning, Kris, please excuse  me. You are using WhatsApp, I presume.

If so, how are you dealing with the problem of WhatsApp uploading the address book? Ignore it? Change config? Edit address book contacts?

Why I am asking: by not using WhatsApp, I am more and more out of the loop (school, parents, sport clubs, etc). At the moment I am trying to resist, proably being the last person on Planet Earth doing that.

Kris: Just use it. ‘Complete upload of the address book’ is untrue, and uninformed bullshit, btw. WhatsApp hashes stuff, and uploads the hashes. Hashes equal -> match.”

Kris: “What does WhatsApp collect (Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA) dating from 2013)

Out-of-network numbers are stored as one-way, irreversibly hashed values. WhatsApp uses a multi-step treatment of the numbers, with the key step being an “MD5” hash function. The phone number and a fixed salt value serve as input to the hash function, and the output is truncated to 53 bits and combined with the country code for the number. The result is a 64-bit value which is stored in data tables on WhatsApp’s servers.

The findings complain about that, because it is not perfect, but I personally believe that to be a pretty good compromise, making you discoverable without pasting the actual numbers all over the place.

S: Thanks, didn’t know that. Problem solved.

12 Comments

Yay, backdoors

The EFF reminds us that the general direction of current US politics is full steam backwards, and damn the torpedoes.

Trump’s nominee for Attorney General, Sen. Jeff Sessions said on the topic of encryption backdoors

Encryption serves many valuable and important purposes. It is also critical, however, that national security and criminal investigators be able to overcome encryption, under lawful authority, when necessary to the furtherance of national-security and criminal investigations.

The EFF comments:

Despite Sessions’ “on the one hand, on the other” phrasing, this answer is a clear endorsement of backdooring the security we all rely on. It’s simply not feasible for encryption to serve what Sessions concedes are its “many valuable and important purposes” and still be “overcome” when the government wants access to plaintext.

So we are set to repeat the discussions from the crypto wars 25 years ago all over again. Math does not change, and the realities of key management aren’t, either.

6 Comments

Secure defaults kind of matter…

snyk writes on secure defaults:

Before version 2.6.0 hipster data “store” did not by default require authentication (wait, what?) and also did bind to * instead of 127.0.0.1.

As a result, by default, each MongoDB data “store” has been accessible from the entire internet.

Scanners such as Shodan provide an index to all such MongoDB installations on the entire Internet. Enterprising anonymous “hackers” have monetized this opportunity by accessing these installations over the Internet, encrypting the data and then accepting Bitcoin for the decryption password – or scamming the installations owner, assuming that people who put production data on internet-wide installations with unauthenticated access deserve to be conned and then conned over again.

Other hipster data stores, including Elastic Search, CouchDB and Redis, are known to have similar access properties. NoSQL might actually mean “NoSequrity”.

Leave a Comment

Sending letters the CIA way

Palaeofuture has an interesting article on sending letters, the CIA way.

When you file a Freedom of Information Act (FOIA) request with a federal agency, they’ll often send you physical letters in the mail. When I got my first response letter from the CIA, I was a little surprised to see some old-fashioned, anti-spy tech on the back of the envelope. As you can see from the photos above and below, there’s no way to open the envelope without making it clear you’ve been messing with it.

The author has been inquiring about the how and why, and despite the inquiry not being a formal FOIA request got an answer.

The “gummed kraft sealing tape” the agency uses is three inches wide, and the indications from the response to my FOIA request suggest that the agency buys it in 450-foot rolls.

The article does have a part and an order number for the tape, in case you have need for it.

5 Comments