security

The terrorists have won.

Posted on: Tue, 08/16/2016 - 11:38 By: Tom Swiss

A nation scared by the sound of applause, seeing phantom threats everywhere.

The terrorists have won. Soaked in its own fear sweat, the nation can't even wait in line to board a plane without suffering a nervous breakdown.

Scenes From the Terrifying, Already Forgotten JFK Airport Shooting That Wasn’t (Daily Intelligencer)

When the first stampede began, my plane had just landed. It started, apparently, with a group of passengers awaiting departure in John F. Kennedy Airport Terminal 8 cheering Usain Bolt’s superhuman 100-meter dash. The applause sounded like gunfire, somehow, or to someone; really, it only takes one. According to some reports, one woman screamed that she saw a gun. The cascading effect was easier to figure: When people started running, a man I met later on the tarmac said, they plowed through the metal poles strung throughout the terminal to organize lines, and the metal clacking on the tile floors sounded like gunfire. Because the clacking was caused by the crowd, wherever you were and however far you’d run already, it was always right around you.

...

There was no “they.” There was not even a “he,” no armed person turning on a crowd. But what happened at JFK last night was, in every respect but the violence, a mass shooting. The fact that there was no attack at the center of it was both the weirdest and the scariest part — that an institution whose size and location and budget should make it a fortress, in a country that has spent 15 years focused compulsively on securing its airports, in a city with a terrifyingly competent anti-terror police unit, could be transformed into a scene of utter bedlam, stretching out from all eight terminals across the tarmac and onto the adjacent highways, by the whisper of a threat.

Bruce Schneier on "CYA Security"

Posted on: Fri, 12/18/2015 - 00:19 By: Tom Swiss

The inimitable Bruce Schneier just posted about how the response to the LA bomb theats was an incident of "CYA security" -- the purpose of which is not to make a community more secure but to insulate authorities from blame: He first discussed that topic back in 2007, and the post remains all to relevant:

CYA Security - Schneier on Security (www.schneier.com)

If someone left a backpack full of explosives in a crowded movie theater, or detonated a truck bomb in the middle of a tunnel, no one would demand to know why the police hadn't noticed it beforehand. But if a weird device with blinking lights and wires turned out to be a bomb -- what every movie bomb looks like -- there would be inquiries and demands for resignations. It took the police two weeks to notice the Mooninite blinkies, but once they did, they overreacted because their jobs were at stake.

This is "Cover Your Ass" security, and unfortunately it's very common.

Things you should not connect to the Internet, Part LXXIII: Wind Turbines
Tom Swiss Wed, 12/09/2015 - 14:26

The "Internet of Things" is mostly a bad idea being pushed by companies that want to control your stuff and snoop on you. Very few systems with physical actuators or sensors should be accessible from the public internet -- maybe an intranet at best. Here's a great example why.

Script Kiddies Can Now Launch XSS Attacks Against IoT Wind Turbines (softpedia)

After presenting the case of a gas detector that had two critical issues in its firmware, a recent ICS-CERT advisory has now drawn our attention to the XZERES 442SR, a smart wind turbine that comes equipped with a Web-based administration panel.

According to the ICS-CERT advisory, this administration panel is vulnerable to XSS (cross-site scripting) attacks that allow even the lowest-skilled hacker to take advantage of them....

...

By exploiting this attack point, hackers can lower the turbine's efficiency, indirectly cutting electrical power to the systems in accordance with its power output. Depending on what kind of systems are connected to the turbine, this can be a nuisance but can also cause a loss of sensitive equipment or even human life.
Script kiddies rejoice, an IoT hack that's n00b-friendly

While ISC-CERT and the manufacturer say that there have been no attacks carried out by this technique until now, the expertise needed to exploit this flaw is at an entry level for any InfoSec researcher.

security by expulsion - Ahmed Al-Khabaz and Dawson College Tom Swiss Tue, 01/22/2013 - 08:46

Computer security experts have long decried the practice of "security by obscurity"; keeping the design of a system secret cannot effectively protect it from attackers, because points of compromise won't stay hidden long.

Montreal’s Dawson College has taken the failure of security by obscurity one step further with what we might call "security by expulsion":

Ahmed Al-Khabaz expelled from Dawson College after finding security flaw

Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software which would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.”

Subscribe to security