Many security related movies can be found on the Internet. Some are fun. Some are sad. Most of them are educational. It could be argued that it is not a good thing to have them in a blog like this, but, the are all very easily find using google video or any other search engine. I would argue against that and raise two objections; first I believe that we (good guys) need to share information - the bad guys already do, which gives them the advantage. Secondly, I do not think that most people understand the waste diversity of information available - anything from breaking into WLANs to manipulating vending machines. If you think a bit philosoplical about that, you soon realize that most things are vulnerable. That piece of thinking is something that is good to always remember in the back of your head when you design any solution. You don't want to have a web page or a video dedicated to your failures or mailing list discussion on why your solution suck. Anyway, This is a collection of some "home videos" i found by browsing the web for half an hour.
The first video is about a Berkeley Professor giving some serious rant about the consequences for the one who have stolen his laptop.
Magnus Ranum (internet security guru) have a collection of home videos, including Detonating baby food or safe cracking
IT related videos include several types of cathegories. Wireless network videos seem to be quite popular. WEP hacking is a short(4 mins) on how to break into someones wireless network. Here's another one where they hack a 128 bit WEP network.
We have included some mandatory Windows hacking and another one called get "r00t" privlages (note their bad spelling :-). It's easy to find videos of Windows Password hacking and another one using LC4.
One cathegory of videos are interviews with "hackers". One interesting video was shot at the DefCon conference.
There is also a number of hardware hacking videos: how to crack open a iPod nano, Xbox (2h3m) and Xbox 360 (2 mins). Someone even taped a video on how to hack the menu system of a vending machine. Academic video on how to hack a Voting machine was taped by researchers in Princeton. Some more fun videos, from a classical hacker definition type of fun, is these videos from Chaos Computer Club.
There is some IPTV shows floating around, including thebroken, DougTV, etc.
Google have had some interesting guest lecturers for their engineers speaking on How To Break Web Software - A look at security vulnerabilities in web software (1h30m) or Crime: The Real Internet Security Problem (1h).
As a short summary, it is also important to remember all the interesting webcasts made available by Microsoft, SANS and others where you can find tons of information on security problems as well as fixing security.
Friday, September 15, 2006
The twilight zone
I have developed a specific interest in the twilight zone between different aspects of security, where security and safety issues crosses, or where there are physical and logical security issues or differences between technical issues and psychological acceptance of security (even usability).
Usability AND security (not OR) is the name of an excellent book edited by Lorrie Faith Cranor and Simson Garfinkel. They cover psychological acceptance of security, secure systems, privacy and anonymity systems, etc. One of the pioneers in the softer aspects of information security is Ka-Ping Yee with his Secure Interaction Design, SID, which contain some really good ideas and rule of thumb. He have provided some nice posters on the matter.
Matt Blaze have written several excelent articles on this subject, including Safecracking for the Computer Scientist and Cryptology and Physical Security: Rights Amplification in Master-Keyed Mechanical Locks, where he applies modern ideas from computer science to attack traditional security systems. By performing his research he have received some critic from locksmiths and others. Hey, even Nobel laureate Richard Feynman is known to be a safe cracker!
Another, similar type of interesting research where real-world security meets information security is the research performed by Ross Anderson on ATM machines in Why Cryptosystems fail, by Avi Rubin of Johns Hopkins and Ed Felen of Princeton on Electronic voting machines, etc.
The last couple of years I've found Process Control Systems, SCADA and similar industrial applicactions of special interest, since it is an area where there security and safety meets (collide?). Another aspect of this collision is the cultural differences in the groups working, i.e. IT staff versus the staff working with process control. There are many security aspects in the industrial IT field that is simply different from traditional IT - scarce resources, unwillingness to change (upgrade software? no way!), and, many systems have a completely different life cycle. I will write more on this in coming articles.
Usability AND security (not OR) is the name of an excellent book edited by Lorrie Faith Cranor and Simson Garfinkel. They cover psychological acceptance of security, secure systems, privacy and anonymity systems, etc. One of the pioneers in the softer aspects of information security is Ka-Ping Yee with his Secure Interaction Design, SID, which contain some really good ideas and rule of thumb. He have provided some nice posters on the matter.
Matt Blaze have written several excelent articles on this subject, including Safecracking for the Computer Scientist and Cryptology and Physical Security: Rights Amplification in Master-Keyed Mechanical Locks, where he applies modern ideas from computer science to attack traditional security systems. By performing his research he have received some critic from locksmiths and others. Hey, even Nobel laureate Richard Feynman is known to be a safe cracker!
Another, similar type of interesting research where real-world security meets information security is the research performed by Ross Anderson on ATM machines in Why Cryptosystems fail, by Avi Rubin of Johns Hopkins and Ed Felen of Princeton on Electronic voting machines, etc.
The last couple of years I've found Process Control Systems, SCADA and similar industrial applicactions of special interest, since it is an area where there security and safety meets (collide?). Another aspect of this collision is the cultural differences in the groups working, i.e. IT staff versus the staff working with process control. There are many security aspects in the industrial IT field that is simply different from traditional IT - scarce resources, unwillingness to change (upgrade software? no way!), and, many systems have a completely different life cycle. I will write more on this in coming articles.
Thursday, September 14, 2006
IT and politicians, part 2
The subject of IT, going from beeing a stone cold subject in the beginning of the swedish election campaign, have become red hot, especially if it can be tied to some kind of missusage or scandal.
Discussions on some chat channels and mailing lists revealed that by using some google hacking, it was quite easy to recover sensitive configuration information (root password) to one of the political parties youth section. More on that in this article (in swedish) in one of the major newspapers. Google and friends are powerful tools - remeber that it could be used for both good and malicious intent.
One swedish politician had the content of his hard disk (swedish) available on one of the major file sharing networks. He blame his kids to have used the computer to connect to DC++. This is still to be verified. However, common sense give that you should not share a computer used for professional work with your teenagers.
Discussions on some chat channels and mailing lists revealed that by using some google hacking, it was quite easy to recover sensitive configuration information (root password) to one of the political parties youth section. More on that in this article (in swedish) in one of the major newspapers. Google and friends are powerful tools - remeber that it could be used for both good and malicious intent.
One swedish politician had the content of his hard disk (swedish) available on one of the major file sharing networks. He blame his kids to have used the computer to connect to DC++. This is still to be verified. However, common sense give that you should not share a computer used for professional work with your teenagers.
IT and politicians, part 1
The run-up of the swedish elections specifically lacked one major area - information technology. It was a non-existing subject. No politicians was interested in discussing aspects of information technology. This changed overnight with the spy scandal, where representants of the liberal party mis-used a login of a user beloning to the competing social democratic party. The story broke in the begining of september, and this has been in the head lines in all major swedish media for the last couple of weeks. According to media, different types of information where leaked (or stolen) by a number of intruders. The "attack" where performed using a simple username - sigge, a nick-name, with a password of sigge (great security there!). The compomised account could be used to access not only tactics for the upcoming election or political strategies, but also more sensitive information such as reports from the secret police, etc. It is clearly not a very good security to allow weak passwords. But common sense and basic knowledge in security should not lead to the design of internet accessible systems with static passwords that is used for a mix of documents of different level of confidentiality.
Subscribe to:
Posts (Atom)
