February 7th, 2013
As Alex Woodie has said “when terminology from the IT department breaks through into the mainstream culture, you know you’re onto something really hot”. This is the case with the term and the concept behind “cloud computing,” which has spread like a west Texas prairie fire.
It seems that every article you read about some new web development contains at least four references to cloud technology. Everyone is hopping on the bandwagon — even Apple is following the herd with their move from MobileMe to iCloud. Clearly, cloud-based computing systems are here to stay. Just as the world moved from mainframe architecture to personal computing, it seems that this is the start of a shift towards offloading certain aspects of personal computing to the cloud.
And long-term, the cloud represents an offloading of data from external hard drives and their ilk to online storage systems powered by some sort of cloud architecture. As LTE and other wireless data methodologies become more prevalent, more powerful, so too will we be happy with more data living off our devices than on … Read more
February 7th, 2013
There really is no wrong definition of what “Big Data” is. We like to explain big data as taking a vast amount of information and being able to distill it in a way that can be consumed and acted upon. Yes, a common definition that’s often overused is one that focuses solely on the vast quantities of data being created. But Big data paints a picture of a human being, including the often mundane tasks a person completes through the day: using an ATM, paying bills or buying movie tickets online, taking public transportation, and so on. Each one of those things creates a unique data point. That is what business has as its focus.
In every industry, in every part of the world, senior leaders wonder whether they are getting full value from the massive amounts of information they already have within their organizations. New technologies are collecting more data than ever before, yet many organizations are still looking for better ways to obtain value from their data and compete in the marketplace. Their questions about how best to … Read more
May 1st, 2016
Predator drone at the ready in a hangar
1 May 2016 – From this weekend’s Sunday Times of London:
Islamic State hackers have published a “hit list” of dozens of US military personnel purportedly involved in drone strikes against terrorists in Syria and Iraq.
At the weekend, a group calling itself the “Islamic State Hacking Division” circulated online the names, home addresses and photographs of more than 70 US staff, including women. It urged supporters: “Kill them wherever they are, knock on their doors and behead them, stab them, shoot them in the face or bomb them.”
The group also claimed that it might have a mole in Britain’s Ministry of Defence and threatened to publish “secret intelligence” in the future that could identify RAF drone operators. The claim could not be verified.
The hacking division was previously led by Junaid Hussain, a computer hacker from Birmingham who was killed by a US drone strike in Syria last August after he was discovered to be orchestrating attacks against the West.
Inquiries made by The Sunday Times suggested that the … Read more
February 2nd, 2016
2 February 2016 – Super Bowl 50 will be big in every way. A hundred million people will watch the game on TV. Over the next ten days, 1 million people are expected to descend on the San Francisco Bay Area for the festivities.
And, according to the FBI, 60 federal, state, and local agencies are working together to coordinate surveillance and security at what is the biggest national security event of the year.
Previous year’s Superbowl security measures have included WMD sensors, database-backed facial recognition, and gamma-ray vehicle scanners. Given the fears and cautions in the air about this year’s contest, it’s easy to guess that the scanning and sensing will be even more prevalent this time.… Read more
January 27th, 2016
27 January 2016 – So the latest in the laid off Disney IT worker saga. According to ComputerWorld:
“Disney IT workers laid off a year ago this month are now accusing the company and the outsourcing firms it hired of engaging in a ‘conspiracy to displace U.S. workers.’ The allegations are part of two lawsuits filed in federal court in Florida on Monday. Between 200 and 300 Disney IT workers were laid off in January 2015. Some of the workers had to train their foreign replacements — workers on H-1B visas — as a condition of severance. The lawsuits represent what may be a new approach in the attack on the use of H-1B workers to replace U.S. workers.
They allege violations of the Federal Racketeer Influenced and Corrupt Organizations Act (RICO), claiming that the nature of the employment of the H-1B workers was misrepresented, and that Disney and the contractors knew the ultimate intent was to replace U.S. workers with lower paid H-1B workers.”… Read more
January 23rd, 2016
23 January 2016 – There is growing evidence that intrusions into the power grid and other critical infrastructure by hostile foreign nation states are real and happening. But there’s “much less agreement over how much of a threat hackers are,” writes Taylor Armerding. “On one side are those – some of them top government officials – who have warned that a cyber attack on the nation’s critical infrastructure could be catastrophic,”writes Armerding.
Others are crying FUD, including C. Thomas, a strategist at Tenable Network Security, who got some attention when he argued in an op-ed that the biggest threat to the U.S. power grid not a skilled hacker, but squirrels, are crying FUD.
Who has it right? Agreement seems to coalesce around two points:
1) the cyber security of industrial control systems remains notoriously weak, and
2) hostile hackers will improve their skills over time.
So, while we haven’t reached “catastrophe” yet, a properly motivated terrorist group could become a cyber threat.
… Read more
January 13th, 2016
13 January 2016 – You can add terrorist-controlled drones to the list of dangers we need to be prepared for, says the Oxford Research Group.
Its new report contains information about over 200 current and upcoming unmanned aerial, ground and marine systems, and evaluates their capabilities for delivering payloads (e.g. explosive devices), imaging capabilities (e.g. for reconnaissance purposes), and their general capabilities. Even though the report notes that commercial drones have a limited flight time, range of movement, and payload capacity, and that their operators still have to be relatively close to a potential target, the researchers are particularly worried about the possibility of drones being used as remotely controlled explosive devices. They say, “The technology of remote-control warfare is impossible to control; the ultimate defense is to address the root drivers of the threat in the first place.”… Read more
December 5th, 2015
5 December 2015 – Veracode has put together a report after static analysis of over 200,000 apps, and its results show that Classic ASP, ColdFusion, and PHP generated the most security bugs in scanned applications. Ignoring the first two, which are almost extinct languages, PHP, used for Drupal, Joomla, and WordPress (which recently announced it runs a quarter of the Internet) is the programming language with the most security woes.… Read more
November 2nd, 2015
2 November 2015 – Last week the media blogs lit up over the British police’s seizure of a BBC laptop and what is the right configuration and practices to ensure that such a seizure provides zero information to the cops?
Sarah Naomi was at the t2’15 infosec conference in Finland last week and described a presentation by security researcher Georg Wicherski. Wicherski is a Senior Security Researcher with CrowdStrike who we have met several times at Black Hat.
Wicherski outlined in his talk several steps that could be taken to render, for instance, an ordinary Chromebook immune (or at least make it very, very resistant) to malware attacks, even when an adversary has physical access to it. These customizations make it difficult for an attacker to use any sort of turnkey solution, presenting a barrier to any off-the-shelf equipment attackers might use. At border crossings, Wicherski said possible attackers might have “an appliance, that comes with a manual, and low-skilled operators.” By using a setup that is not very common, the border cops might not know what to … Read more
October 30th, 2015
30 October 2015 – When Anthem revealed a data breach that exposed the details of more than 80 million people, the incident raised a lot of questions: who would conduct such a hack against a health insurance firm? Investigators finally have some answers… and they’re not quite what you’d expect. Reportedly, the culprits were Chinese hackers helping their nation understand how US medical care works. It may be part of a concerted campaign to get ready for 2020, when China plans to offer universal health care.
Next, maybe we should outsource politicians from China to fix our healthcare system.
… Read more
October 18th, 2015
18 October 2015 – Cars and streets are now connecting to the Internet for a long list of transportation and safety benefits but the new tech has drawbacks. Experts from government, industry, and academia say they have no confidence they’ll develop a secure system that can protect users from tracking and privacy breaches. Their opinions were captured in a recent survey (PDF) from the Government Accountability Office:
“The government is coordinating with the transportation industry on the Security Credential Management System (SCMS), a project to verify that basic road-safety messages come from authorized devices. … At this point, it’s not clear who would even run such a system. Previous plans pointed toward car industry control, but the Transportation Department is now looking into playing ‘a more active leadership role’ for V2I as well as V2V (vehicle-to-vehicle) networks. That role would include setting security and privacy standards when V2I and V2V networks become operational.”
… Read more
October 7th, 2015
Gregory P. Bufithis
Eric De Grasse
7 October 2015 – Thousands of cloud fanatics have descended on Las Vegas this week for Amazon Web Service’s re:Invent conference. One item that grabbed our attention was the announcement of a group of researchers from Massachussets who published a concept test which uses a failure in the AWS virtual machines to steal their RSA cryptographic passes. Nowadays the failure is already patched, but according to the researchers we really need to think more seriously about the security on the cloud.
The group of professors … at Worcester Polytechnic Institute … demonstrated in a recently published paper named “Seriously, get off my cloud! Cross-VM RSA Key Recovery in a Public Cloud,” a proof of concept hack of secret cryptography keys used in an AWS virtual machine. The now-patched flaw – which was not specific to AWS — showed that a hacker could theoretically gain a user’s secret keys that are used to encrypt sensitive data.
Security experts say the risk of this specific attack being used is quite low … Read more