Thursday, June 17, 2021

A password stealer no one would suspect

from here

Normally it's a login form that gets stuffed (and that would actually accomplish something), but why not stuff a Roomba, or even a turkey for that matter.

You can't enter your passcode until you enter the pawscode


Watch on YouTube

Clearly this is a new layer of security that banks have added to their automated teller machines. I think we can all guess what happens when you enter the wrong code.

Wednesday, June 16, 2021

If it starts with "smart", it probably isn't

from here and here (source article)

If ransomware can impact global meat production then maybe the security of Internet connected BBQs is worth considering.

The Internet of Shit is one thing, but the Internet of Flaming Shit would be even worse.

The mythology of camouflage

found on Reddit

Much of the camouflage memes we see today are based (in a mocking way) on the idea that camouflage magically makes things invisible rather than the reality that it just makes it difficult to distinguish the camouflaged item from what's behind it if it looks enough like what's behind it. 


Tuesday, June 15, 2021

When cameras are not enough

from here and here (image source)

Standard CCTV cameras aren't perfect, so there are always people coming up with something new and better. I'm not sure if trained cats are effective, but that one sure has an excellent vantage point.

I Support Government Approved Encryption shirt

Product Page

 
Product Page

If the government had their way, even the Ceasar Cipher wouldn't be allowed (it was military grade encryption a few millenia ago). They want something they can easily access so it probably wouldn't be much different than simply writing things backwards as shown above.

Monday, June 14, 2021

How "smart" is that exercise bike now?

from here

>It's hard to get over the idea of entrusting the privacy of your data to a company with the same name as ECHELON, even if there wasn't a specific security incident calling their capabilities into question

Aquaman must hate biometrics

found on Reddit

No doubt water impedes more than just fingerprint recognition. If you've got water still running down your face that's probably going to make face, iris, and retina recognition more challenging as well. 

Friday, June 11, 2021

Situational Awareness Fail

from here

It's probably a good idea to watch where you're going even if you're not a criminal on the run.

What rhymes with opsec?

found on Acid Cow

Maybe try not broadcasting your illegal exploits for the entire world to hear about.

Thursday, June 10, 2021

Next thing you know they'll be recording your keystrokes

from here and here (source article)

At first I was like "next they'll be encrypting your drive", but wait, maybe they already have full disk encryption. Then I thought, about carrying out commands sent from a server, but that's kind of part of how some anti-malware works too (especially those that send samples to the company's servers if it's a file that's never been seen before). They also download and execute binaries from remote servers - as part of their update process.

It's getting harder and harder to find a malicious payload that doesn't have a counterpart in security software.

Mr Locksmith : Open Sentry Safe In Less Than 5 Seconds


Watch on YouTube

It's discouraging to learn that so many things can be opened with nothing more than a big magnet.

Wednesday, June 9, 2021

The sun went down on the going dark problem

from here

I always knew the government had it in them to gather evidence of criminal activity in spite of encrypted communications. They just had to put in the work instead of asking the tech industry for an Easy Button. Now that they've shown they can sell their own backdoored phones to criminals all over the world, read tens of millions of encrypted messages, and make nearly a thousand arrests (with more coming), they better realize they can't leverage their perceived helplessness in negotiations with tech companies any longer. Everyone knows what they're capable of and arguably their approach is better than anything the tech industry can do because it's much more targeted.

Destroyer of codec scams

found on Reddit

Back in the day, videos with weird formats were a popular bait used by malware authors to get people to install face codecs that were actually malware in hopes of playing those videos. But VLC could play virtually anything without the need for additional codecs and as people figured that out, those fake codecs became less effective and eventually went out of fashion.

Tuesday, June 8, 2021

Nothing trumps that logic

from here and here

Leave it to Presi-don't Trump to give us a take that's both completely obvious and completely useless.

Your Ports Were Open sticker

Product Page

If you've got a firewall then hopefully you don't have any open ports. Hopefully.

Monday, June 7, 2021

Think I'll stick with dumb devices

from here

Honestly, there are so many problems with smart devices, allowing attackers to break into your home network is just the tip of the iceberg.

No wonder the Mounties always get their man

found on Izismile

Canadian criminals can be so cooperative. Almost makes you wonder how people this intent on following the rules can find themselves breaking the law.

Friday, June 4, 2021

So much for those backups

from here

While Exagrid did have to go back and ask for the decryption tool a second time (apparently not only did their backup solution work to restore their data, they didn't manage to make a backup of the decryption tool either), they would have been in a bind even if their technology had been able to work for them because ransomware doesn't just encrypt data anymore - the operators make their own backups of your data and threaten to expose it if you don't pay up. 

Unfortunately, while restoring from backups is absolutely the ideal approach to getting your data back, it's frequently no longer sufficient for dealing with ransomware incidents because of the added blackmail approach.

Who needs special characters?

found on Izismile

I mean, it's not actually a very good password if it's on a big sign as you drive into town, but other than that, some of them look like they might be long enough to be pretty good. 

Thursday, June 3, 2021

That should max it out nicely

from here (source article)

Most of the people I've encountered over the years have complained that their antivirus uses too much resources and slows their system down.This must be for the alternate reality versions of those people.

Thor's Biometric Hammer


Watch on YouTube

It's refreshing to see that there are still applications for biometrics that don't feed into a dystopian surveillance panopticon. This novel example of biometric authentication seems like a great way to educate people about a number of different engineering and security concepts.

Wednesday, June 2, 2021

The crooks have got a bullseye on them now

from here and here

Can you imagine the trouble you'd get in with other crooks if they found out that it was YOU who attacked the global critical meat infrastructure?! Only the vegans would give you a pass on that one.

Beware Of Dog 2.0

found on EvilMilk

I'm not sure if this is more or less effective than standard beware of dog signs when it comes to deterrence. Can you tell what kind of dog it is? Not exactly. Can you tell how big it is? Again, not exactly. It doesn't appear to be one of the very tiny breeds, but there's still an element of the unknown here which is important in fostering fear. I guess what this one does is evade the parts of our brains that have grown to ignore beware of dog signs.

Tuesday, June 1, 2021

Who knew you could be identified by your identifying marks?

from here

You'd think a member of the mafia would know enough opsec to keep his tattoos covered when broadcasting his likeness across the globe. I guess not all of them do.

Encryption dress

Product Page

Who doesn't want to wear AES ciphertext on their dress? I just wonder what it says. I suppose one may have to remind cryptographers that your eyes are up here, since I'm sure some of them will be trying to decode the message.

Monday, May 31, 2021

Automatically enabled for your convenience

from here and here

Y'know what? If I wanted to share my Internet with my neighbors, I'd give them the wifi password. Amazon seems to not understand property or consent here, and I'm not sure how this plan made it past their legal department. The amount of bad will this will create in their customers is going to be mind boggling.

Attackers outsource too

found on Imgur

 

Friday, May 28, 2021

You'd have to be nuts not to

from here and here (image source)

Of course with the chain on the outside the squirrels aren't actually keeping anybody out, but I've seen humans make equivalent blunders.

The haute couture of camouflage

found on Izismile

If you can't go unseen, you might as well be very seen, I guess. Give them some of the old razzle dazzle. If you haven't heard of dazzle camouflage before there might be a good reason for that. It seems like it may have worked better on paper than in practice (much like the extravagant clothes you might seen on fashion runways don't really work for real life).

Thursday, May 27, 2021

Easy peasy kinda sleazy

from here and here (image source)

I don't know, maybe the "Army Of The Dead" character Bly Tanaka simply didn't want to divulge the combination because he reuses it for everything, but it certainly would have made their jobs easier if he'd given them that bit of info.

Michael McIntyre : You Should Probably Change Your Password


Watch on YouTube

Do people really remember their first password? I can't seem to recall mine. I don't remember most of my current passwords either, thanks to my password manager. 

My first password would have been 35 years ago, long before I got on the Internet, and I was the one who coded the password prompt so I was really inflicting that on myself.

Wednesday, May 26, 2021

When is a bum rap not a bum rap?

from here

Sometimes I think people would be better off if they left their mobile phones at home. When you're committing a crime seems like one of those times. Barring that, set a passcode on it so that it can't be unlocked with your ass.

Tuesday, May 25, 2021

Looks like everything is vulnerable, again

from here and here

Apparently billions of devices are vulnerable to a series of wifi vulnerabilities, and if you thought bitcoin consumed a lot of energy, just imagine how much would be used applying updates to billions of devices.

Encrypt mug

Product Page

You have to look pretty close in order for your brain to decode the letters in these blocks. It's almost as if they're encrypted themselves.

Monday, May 24, 2021

Do it again!

from here

They may not have been the biggest name in government spyware, but it's still good that they're gone.

Can't wait for Apple's face mask ID technology

found on Reddit

I don't actually have high hopes that anyone will be able to come up with face recognition that can identify you through a mask (heck, that much coverage could foil even human-based face recognition), but if anyone could do it, I suspect it would be Apple. 

Friday, May 21, 2021

Convenience vs. Security

from here (image source)

There are those who don't want to admit it, but it often seems like the price of security is paid in lost convenience. It's hard to imagine something that has been made more secure without adding more steps to access it.

Fake it 'til you make it

found on Izismile

Hollywood - the only place where faking it is actually the skill they're looking for. No wonder realism is so hard to find there. 

Thursday, May 20, 2021

Double encryption all the way across the drive

from here

I suppose ROT13 isn't quite as good for binary data, so how about ROT128 instead? That way when it's encrypted twice it will just change it back to it's starting form.

Putting the 'trick' in biometric authentication


Watch on YouTube

There's a now well known problem with fingerprint biometric authentication - someone can use you're fingerprint without your consent. Well, if you're willing to put up with a little bit of inconvenience, perhaps using something other than your finger could mitigate that problem. You'll probably want to make sure no one sees you unlock your phone, though, or they'll just use whatever you normally use.

Wednesday, May 19, 2021

That's where the cyber-insurance money is

from here

I have to be honest that it never occurred to me that cyber-insurance companies fueling ransomware gangs was a problem that could solve itself, but if what happened between AXA and Avaddon catches on then maybe it could. If more ransomware operators that prefer victims with cyber-insurance realize they could cut out the middleman and go straight for the cyber-insurance companies then that could force the cyber-insurance industry to change how it does business.

No TouchID for you!

found on Izismile

Biometrics may be a pain, but you could have an interesting criminal career with that physical 'defect'.

Tuesday, May 18, 2021

Prices sure have changed

from here

It's amazing to see how much Plaid is willing to pay for people's logins. You can buy a lot of candy bars for $500. If this is anything like cryptocurrency, though, we should continue to hold on to our logins because the value is bound to go up even higher.

It's Not Malware It's Alternative Software shirt

Product Page

When I added the phrase "It's Not Malware It's Alternative Software" to a picture of Sean Spicer four years ago, I hadn't intended to create a catch phrase, but apparently that's precisely what I did. Enjoy this memetic evolution.

I wonder what other memes I've spawned without realizing it.

Monday, May 17, 2021

Now we know what people really care about

from here

I'm not going to claim a ransomware attack on critical infrastructure isn't serious, but if we can brush off ransomware attacks on hospitals then I think it's fair to ask why an attack on a pipeline is so much more serious that even unrelated ransomware operators are taking cover.

The many uses of online privacy

found on Reddit

I bet you thought there was only one reason to want to be private online, but there are at least two of them.

Friday, May 14, 2021

What else haven't they told us about?

from here

So much for the 'Walled Garden' keeping Apple users safe. It failed spectacularly and allowed a 128 million device botnet to be created out of compromised iDevices. And worse, because of Apple's lack of transparency, we have no reason to believe something like this hasn't happened before or since.

Regret in the surveillance state

found on Acid Cow

Maybe you should be careful what you search for.

Thursday, May 13, 2021

Maybe I should click on all the things

from here

While it's true that a COVID-themed phishing test is exactly what criminals would do, it's also true that this is exactly how you create disgruntled workers who sabotage operations, either through negligence or malicious action. West Midland Trains needs to learn how to read the room and keep their employees on their side.

Not exactly a clean getaway


Watch on YouTube

Imagine sitting in a plastic box full of dirty diapers and used kitty litter in the blazing sun for half an hour and then still getting caught. It's enough to make one reconsider one's life choices.

Wednesday, May 12, 2021

Well that makes it all better

from here

I have a tough time believing Russians, of all people, wouldn't know the societal consequences of an attack on a pipeline. As if they haven't been on the receiving end before.

Now pull my other leg

found on eBaum's World

Never too young to learn about scammers.

Tuesday, May 11, 2021

Isn't fewer incidents a good thing?

from here and here

Sometimes I feel like I'm stuck in Groundhog Day, listening to the same ridiculous arguments over and over again without end. Restricting access to dangerous materials makes sense and that doesn't have to mean that defenders can't get their hands on them - the AV research community proved that decades ago.

PCAP Or It Didn't Happen sticker

Product Page

If you know what a packet capture is then I don't have to tell you how important they can be, but not everyone does know, so go forth and spread the word.