Friday, June 25, 2021

Cyberweapon Go Brrr

from here and here (image source)

Not everything needs to be made into a smart device, and arguably some things definitely shouldn't. App-enabled handguns seem like a terrible idea.

What features do you suppose the electronics in this handgun actually implement and what do you suppose the consequences are if the battery dies in the middle of operation, or if the function falls under the control of a malicious remote individual? I wouldn't count on good outcomes in either situation.

And we can use light to kill the rest

found on Reddit

I've heard healing crystals also work. Not that I would rely on that.

Thursday, June 24, 2021

Too bad it didn't stay that way

from here

I know he's gone, and there's a school of thought that says you shouldn't speak ill of the dead, but I've had this idea percolating in my head for a while now and there aren't really going to be any further opportunities to get it out of there.

I won't directly mention the less wholesome association between McAfee and whales - that's a blue waffle that can easily be found with a search engine. Instead I'll just recall that in the distant past, a virus called McWhale contained a message claiming that John McAfee wrote a virus known as Whale.

Bypassing a fingerprint scanner with Elmer's glue

Watch on YouTube

I remember when this kind of bypass required a little more specialized materials than the paste your kid eats in kindergarten. I guess it just goes to show that attacks only improve over time

Wednesday, June 23, 2021

How smart is that thermostat now?

from here

ERCOT would like you to know that the electricity supply would be doing just fine if people didn't use it so much. But since they do, ERCOT convinced their customers to give the company the ability to adjust people's smart thermostats and of course they're going to do it when people are most in need of cooling.

Even a 4 year old could hack it

found on Reddit

If your security is so weak that even a 4 year old could hack it then you better hope you don't have any 4 year olds, because they'll get in one way or another when you least expect it.

Tuesday, June 22, 2021

Trying to follow infosec advice

from here and here

Inspired by an anecdote shared by Matthew Gracie.

Infosec rockstars like to share stories about the amazing things they do at the amazing organizations they work at. That's completely fine as long as you (and they) can keep in mind the second part of that statement. 

Unfortunately, if you can't (like most of us), it just serves to create unrealistic expectations. Those tall tales turn into advice that most can't follow because the support and/or resources just aren't there.

It's probably best to treat such stories as parables rather than prescriptive advice. See if you can find lessons you can use in them, but don't worry too much about trying to do exactly the same thing..

Will Give Cybersecurity Advice For Beer mug

Product Page

In case you have a lot to say about cybersecurity to anyone who'll listen, this mug could help you land opportunities to expound on that topic. 

It turns out this can also be found in beer mug format, but I think people have fewer opportunities to show off their personalized beer mugs.

Monday, June 21, 2021

Among other things

from here and here (image source)

I'm hoping there's a basement here. I'm hoping that's where the bathroom is, and maybe the bedroom. I have my doubts, though

Someone will still post a sign with the code on it

found on Nerd Ninja

Don't get me wrong, this is an impressive bit of engineering, and I'm sure it solves a problem. I'm just not sure it solves the right problem or in the right way. I actually think there are easier and simpler ways to combat passcode leakage through wear patters (that don't invalidate muscle memory like this does), but more importantly I don't think wear pattern obfuscation will do anything about the tendency of people to post the code right above/below/beside the lock.

Friday, June 18, 2021

Pick a side, already!

from here

There seems to be some very confused malware writers out there, unsure which side of the law they're supposed to be on. Of course both cybercrooks and copyright cops are villains, so at least we don't have to be confused about whether they're the good guys.

TSA finally catches a terrorist ... from Toon Town

found on Izismile

Pretty sure the person who made this is the same one who framed Roger Rabbit. Not that the TSA would be able to tell the difference. 

Thursday, June 17, 2021

A password stealer no one would suspect

from here

Normally it's a login form that gets stuffed (and that would actually accomplish something), but why not stuff a Roomba, or even a turkey for that matter.

You can't enter your passcode until you enter the pawscode

Watch on YouTube

Clearly this is a new layer of security that banks have added to their automated teller machines. I think we can all guess what happens when you enter the wrong code.

Wednesday, June 16, 2021

If it starts with "smart", it probably isn't

from here and here (source article)

If ransomware can impact global meat production then maybe the security of Internet connected BBQs is worth considering.

The Internet of Shit is one thing, but the Internet of Flaming Shit would be even worse.

The mythology of camouflage

found on Reddit

Much of the camouflage memes we see today are based (in a mocking way) on the idea that camouflage magically makes things invisible rather than the reality that it just makes it difficult to distinguish the camouflaged item from what's behind it if it looks enough like what's behind it. 

Tuesday, June 15, 2021

When cameras are not enough

from here and here (image source)

Standard CCTV cameras aren't perfect, so there are always people coming up with something new and better. I'm not sure if trained cats are effective, but that one sure has an excellent vantage point.

I Support Government Approved Encryption shirt

Product Page

Product Page

If the government had their way, even the Ceasar Cipher wouldn't be allowed (it was military grade encryption a few millenia ago). They want something they can easily access so it probably wouldn't be much different than simply writing things backwards as shown above.

Monday, June 14, 2021

How "smart" is that exercise bike now?

from here

>It's hard to get over the idea of entrusting the privacy of your data to a company with the same name as ECHELON, even if there wasn't a specific security incident calling their capabilities into question

Aquaman must hate biometrics

found on Reddit

No doubt water impedes more than just fingerprint recognition. If you've got water still running down your face that's probably going to make face, iris, and retina recognition more challenging as well. 

Friday, June 11, 2021

Situational Awareness Fail

from here

It's probably a good idea to watch where you're going even if you're not a criminal on the run.

What rhymes with opsec?

found on Acid Cow

Maybe try not broadcasting your illegal exploits for the entire world to hear about.

Thursday, June 10, 2021

Next thing you know they'll be recording your keystrokes

from here and here (source article)

At first I was like "next they'll be encrypting your drive", but wait, maybe they already have full disk encryption. Then I thought, about carrying out commands sent from a server, but that's kind of part of how some anti-malware works too (especially those that send samples to the company's servers if it's a file that's never been seen before). They also download and execute binaries from remote servers - as part of their update process.

It's getting harder and harder to find a malicious payload that doesn't have a counterpart in security software.

Mr Locksmith : Open Sentry Safe In Less Than 5 Seconds

Watch on YouTube

It's discouraging to learn that so many things can be opened with nothing more than a big magnet.

Wednesday, June 9, 2021

The sun went down on the going dark problem

from here

I always knew the government had it in them to gather evidence of criminal activity in spite of encrypted communications. They just had to put in the work instead of asking the tech industry for an Easy Button. Now that they've shown they can sell their own backdoored phones to criminals all over the world, read tens of millions of encrypted messages, and make nearly a thousand arrests (with more coming), they better realize they can't leverage their perceived helplessness in negotiations with tech companies any longer. Everyone knows what they're capable of and arguably their approach is better than anything the tech industry can do because it's much more targeted.

Destroyer of codec scams

found on Reddit

Back in the day, videos with weird formats were a popular bait used by malware authors to get people to install face codecs that were actually malware in hopes of playing those videos. But VLC could play virtually anything without the need for additional codecs and as people figured that out, those fake codecs became less effective and eventually went out of fashion.

Tuesday, June 8, 2021

Nothing trumps that logic

from here and here

Leave it to Presi-don't Trump to give us a take that's both completely obvious and completely useless.

Your Ports Were Open sticker

Product Page

If you've got a firewall then hopefully you don't have any open ports. Hopefully.

Monday, June 7, 2021

Think I'll stick with dumb devices

from here

Honestly, there are so many problems with smart devices, allowing attackers to break into your home network is just the tip of the iceberg.

No wonder the Mounties always get their man

found on Izismile

Canadian criminals can be so cooperative. Almost makes you wonder how people this intent on following the rules can find themselves breaking the law.

Friday, June 4, 2021

So much for those backups

from here

While Exagrid did have to go back and ask for the decryption tool a second time (apparently not only did their backup solution work to restore their data, they didn't manage to make a backup of the decryption tool either), they would have been in a bind even if their technology had been able to work for them because ransomware doesn't just encrypt data anymore - the operators make their own backups of your data and threaten to expose it if you don't pay up. 

Unfortunately, while restoring from backups is absolutely the ideal approach to getting your data back, it's frequently no longer sufficient for dealing with ransomware incidents because of the added blackmail approach.

Who needs special characters?

found on Izismile

I mean, it's not actually a very good password if it's on a big sign as you drive into town, but other than that, some of them look like they might be long enough to be pretty good. 

Thursday, June 3, 2021

That should max it out nicely

from here (source article)

Most of the people I've encountered over the years have complained that their antivirus uses too much resources and slows their system down.This must be for the alternate reality versions of those people.

Thor's Biometric Hammer

Watch on YouTube

It's refreshing to see that there are still applications for biometrics that don't feed into a dystopian surveillance panopticon. This novel example of biometric authentication seems like a great way to educate people about a number of different engineering and security concepts.

Wednesday, June 2, 2021

The crooks have got a bullseye on them now

from here and here

Can you imagine the trouble you'd get in with other crooks if they found out that it was YOU who attacked the global critical meat infrastructure?! Only the vegans would give you a pass on that one.

Beware Of Dog 2.0

found on EvilMilk

I'm not sure if this is more or less effective than standard beware of dog signs when it comes to deterrence. Can you tell what kind of dog it is? Not exactly. Can you tell how big it is? Again, not exactly. It doesn't appear to be one of the very tiny breeds, but there's still an element of the unknown here which is important in fostering fear. I guess what this one does is evade the parts of our brains that have grown to ignore beware of dog signs.

Tuesday, June 1, 2021

Who knew you could be identified by your identifying marks?

from here

You'd think a member of the mafia would know enough opsec to keep his tattoos covered when broadcasting his likeness across the globe. I guess not all of them do.

Encryption dress

Product Page

Who doesn't want to wear AES ciphertext on their dress? I just wonder what it says. I suppose one may have to remind cryptographers that your eyes are up here, since I'm sure some of them will be trying to decode the message.