Skip to content

McAfee: 90% of Americans would perish if the Power Grid is attacked

Full transcript here: https://www.rt.com/shows/sophieco/340..

  • Cyber Warfare discussion at 22.18 mins
    The US Power grid is 50 years old – and vulnerable.
    ****

  • No power means no food or water (electricity is needed to process food).

    ****

  • CIA estimates are that 90% of Americans would perish within 24 months of a power grid attack.  Only 10% of America would survive due to lack of access to food and water.

    ******

  • Nuclear war cannot approach that level of devastation.

 

This is a very interesting rationale.  Cyber warfare that attacks the civilian infrastructure would cause more harm than nuclear warfare.  Water supplies would of course trigger immediate harm.  Access to fresh clean water is of utmost priority.  So rather than attacking the electrical grid, it would make more sense to target water supplies.  Oh course, we all hope it never comes to this, but it’s a very interesting thought.

The natural antidote to this, is to locate clean fresh water, and the means of sterilising water.

A second point is that those homes with solar panels, will have some form of limited power (if it’s sunny).  This highlights that power tools, that need electricity would be useless.  Time to invest in some good quality but non powered tools for the garden then.

Camping equipment would be very useful. In fact, any equipment that would function during a power cut would be useful to have around.  Gardening and camping stores would see a boom time – as would cash transactions, as your credit cards won’t work.

So logically we would be back in the barter system for a short while.  The taxman would be most unhappy at that.  No tax = no money for the government.  What a thought!

$10 router blamed in Bangladesh bank hack – BBC

http://www.bbc.co.uk/news/technology-36110421

Hackers managed to steal $80m (£56m) from Bangladesh’s central bank because it skimped on network hardware and security software, reports Reuters.

The bank had no firewall and used second-hand routers that cost $10 to connect to global financial networks.

Better security and hardware would have hampered the attackers, Reuters said, quoting an official investigator.

The hackers aimed to steal $1bn but made mistakes that led to the theft being spotted and stopped.

Better defence

A firewall would have made attempts to hack the bank more “difficult”, Mohammad Shah Alam, a forensic investigator who works on the Bangladesh team investigating the theft, told Reuters.

The second-hand hardware also meant that basic security steps to segregate network traffic were not taken, he said.

The cheap routers have hindered the investigation, said Mr Alam, because they collected very little network data that could be used to pinpoint the hackers and shed light on their tactics.

The hack took place in early February and involved hackers getting access to the core network of Bangladesh’s central bank. They used this privileged access to transfer cash from Bangladesh’s account at the Federal Reserve Bank of New York to other banks.

A spelling mistake in one of the transfer orders alerted bank staff and meant the hackers only managed to steal $81m. This has been traced to accounts in the Philippines and to casinos in the same country. Most of the cash has yet to be recovered.

****

Take away message:

  1. Hackers must learn to spell.
  2. Banks must use firewalls.
  3. If you’re going to hack anyone, target their router.

Win XP, Flash, Java… healthcare makes easy pickings for hackers Study shows some medical folk are still running an OS not supported since 2014

http://www.theregister.co.uk/2016/04/22/healthcare_insecurity/

The healthcare industry is a long way behind the financial sector in basic security practices, according to a study by two factor authentication firm Duo Security.

Duo found that healthcare devices were significantly more out of date and less secure than ones from finance, after comparing its healthcare customers’ devices to its finance customers’ equipment.

Healthcare has a four times greater density of Windows XP computers compared to finance. Windows XP has been unsupported by Microsoft since 2014 and unsupported OSes do not receive any software patches or updates, making them an easy target for attackers.

The risk is far from theoretical. For example, earlier this year Melbourne Health’s networks were infected with malware after an attack compromised the Royal Melbourne Hospital’s pathology department, which was running Windows XP.

The Qbot malware linked to the infection is capable of stealing passwords and logging keystrokes.

A significant minority (three per cent) of Duo’s installed base is stuck on Windows XP, which compares to one per cent of users across Duo’s entire client base. Across that customer base, finance has 50 per cent more instances of computers running on the Windows 10 operating system than healthcare.

Flash! Arrgh!

Finance has more instances of computers running on Windows 7 (74 per cent) than healthcare (66 per cent). Staying with older versions of Microsoft’s OS can have security downsides, even if the operating system is still supported.

With more than 500 known vulnerabilities affecting Windows 7, there are many ways for an attacker to easily exploit flaws on the outdated OS to gain unauthorised access to a healthcare organisation’s computing environment, Duo warns.

Twice as many healthcare endpoints have Flash installed and three times as many healthcare customers have Java installed on their devices, again putting them at greater risk of vulnerabilities and exploitation.

Only 12 per cent of non-healthcare users have Java installed. compared to 36 percent in healthcare. Many popular electronic healthcare record (EHRs) systems and identity access and management (IAM) software supporting e-prescriptions require the use of Java, factors which could account for the higher installed base. But this is bad news for security because Java browser plug-ins are a popular exploit route for hackers.

A separate study from IBM X-force earlier this week warned that crooks were increasingly targeting healthcare concerns rather than banks partly because systems were more weakly defended. Stolen healthcare info contains personal data that is readily marketed through underground forums because it offer the collateral to carry out identity fraud and other scams.

UK spy agencies systematically amass data on innocent people, legal challenge reveals

http://techcrunch.com/2016/04/21/uk-spy-agencies-systematically-amass-data-on-innocent-people-legal-challenge-reveals/

Privacy campaign group Privacy International says documents it has obtained through a legal challenge to the UK security agencies data-harvesting practices illustrate the extent to which spies have systematically and secretly amassed a cache of data on UK citizens for the past 15 years — regardless of whether a particular individual is suspected of a crime.

Aka: mass surveillance.

The cache of 46 documents relate to policies, procedures and guidance in place for one aspect of UK state investigatory powers — so-called Bulk Personal Datasets (BPDs) — as well as covering Section 94 (of the Telecommunications Act 1984) directions for GCHQ, MI5 and MI6.

In several documents, including one pertaining to security and intelligence agency policy, agencies observe that the “majority” of the data amassed in these databases contains “personal data about a wide range of individuals, the majority of whom are not of direct intelligence interest”.

The policy document, dated February 2015, also warns staff to brace for “more onerous authorisation processes (beyond our current largely internal ones), as well as enhanced external oversight” as a consequence of the government considering changes to investigatory powers law.

“At the very least we should expect increased and significant public interest and debate,” it adds.

In another document pertaining to the handling of BPDs by GCHQ, the agency notes the elevated risk of privacy rights infringement from using this type of data:

Although bulk personal datasets constitute only a tiny proportion of the data GCHQ obtains, its retention and use of such datasets represent a significant interference with many people’s right to privacy under the European Convention on Human Rights (ECHR). This interference must be justified in terms of its necessity and proportionality, in accordance with Article 8(2) of the ECHR. The use of such data for operational purposes is also especially sensitive and carries an elevated degree of corporate risk. GCHQ has therefore established special arrangements to ensure appropriate handling of such data throughout its life-cycle, both within and, where applicable, beyond GCHQ.

The UK government is in the midst of pushing a new surveillance law through parliament which aims to expand the intrusive capabilities available to domestic police and security services. Yet, at the same time, the Home Secretary Theresa May has repeatedly rejected claims domestic security agencies are engaged in mass surveillance of citizens — preferring the euphemism term ‘bulk collection’.

Back in January she rebutted criticism that state agencies engage in mass surveillance, waspishly telling a parliamentary committee scrutinizing the draft Investigatory Powers Bill that: “We do not collect all the data, all of the time.”

However the documents obtained by Privacy International, as part of a legal challenge, show domestic intelligence agencies have been collecting, if not every last bit and byte, then certainly very large troves of data on UK citizens. And doing so for a very long time.

According to Privacy International, requisitioned data can include medical records, travel records, financial records, population data, commercial data (details of corporations and individuals involved in commercial activities), regular feeds from internet and phone companies, billing data or subscriber details, content of communications (including with lawyers, MPs and doctors), and records from government departments.

It adds that the documents indicate such data is routinely requisitioned.

Aka: mass surveillance.

“The papers released today act as proof of, and show the sheer scale of, British intelligence agency surveillance of our personal data,” it asserts. “It goes far beyond monitoring our text messages, email messages, and social media posts. The intelligence agencies have secretly given themselves access to potentially any and all recorded information about us.”

The use of BPDs as an investigatory tool was only revealed in March last year, via an Intelligence and Security Committee (ISC) report. Yet these large databases had been used in secret for scores of years, apparently sanctioned under a law that pre-dates the rise of the commercial Internet. (The documents confirm Section 94 of The Telecommunications Act 1984 has been used by the UK state to access data in bulk.)

The ISC report previously described BPDs as “large databases containing personal information about a wide range of people” — which it said are used by intelligence agencies to “identify individuals during the course of their investigations, to establish links between Subjects of Interest, and to verify information that they have gathered through other means”.

And Home Secretary May has described them as an invaluable tool for the security agencies, arguing that “bulk capabilities” are important to retrospectively sift through a target’s communications as part of an active investigation.

“You need to be able to acquire the communications in the first place and when the target is overseas bulk interception obviously is one of the key means, and indeed it may be the only means, by which it’s possible to obtain communications,” she told a parliamentary committee back in January, adding: “It is about keeping people safe and secure.”

The flip-side of that argument is of course that amassing gigantic databases containing sensitive personal data on every citizen in the country is not only a massive and disproportionate privacy infringement but also vastly increases the volume of data the intelligence agencies have to sift through — thereby increasing the signal to noise ratio and making effective, targeted intelligence work harder.

And if May wants to assert that gigantic intelligence databases are necessary to ‘keep people safe’, it’s worth making the obvious point that the UK security agencies’ bulk data collection habits did not prevent the 7/7 co-ordinated terror attack in London, in July 2005. Nor the slaying of solider Lee Rigby in a London street three years ago by two men who were in fact already known to the security services. The evidence that mass surveillance/bulk collection keeps people safe is as apparently elusive as the targets spy agencies are tasked with seeking.

Last year’s ISC report which first disclosed the existence of BPDs also revealed there are hundreds of millions of these databases, which it said may be linked together. Privacy International’s suggestion now is these databases “could be used to build detailed profiles about all of us”.

“The information revealed by this disclosure shows the staggering extent to which the intelligence agencies hoover up our data. This can be anything from your private medical records, your correspondence with your doctor or lawyer, even what petitions you have signed, your financial data, and commercial activities,” said Millie Graham Wood, Legal Officer at Privacy International, in a statement.

“This data is integrated into databases that could be used to build detailed profiles about all of us. The agencies themselves admit that the majority of data collected relates to individuals who are not a threat to national security or suspected of a crime. This highly sensitive information about us is vulnerable to attack from hackers, foreign governments, and criminals.

“The agencies have been doing this for 15 years in secret and are now quietly trying to put these powers on the statute book for the first time, in the Investigatory Powers Bill, which is currently being debated in Parliament. These documents reveal a lack of openness and transparency with the public about these staggering powers and a failure to subject them to effective Parliamentary scrutiny.”

The organization also notes that in recent years only three cases of non-compliance or misuse of BPDs have resulted in staff being disciplined. “It is not apparent that any victims have been notified,” it adds.

 

****

I use IVPN as my VPN provider.  I’m openly biased as I know their system works – flawlessly, without outages and across many devices from Android to Mac, to Linux to iPhones and routers.

IVPN

www.ivpn.net

Warrant Canary – can be found here:

https://www.ivpn.net/resources/canary.txt

How to bypass a forgotten password on a Cisco 2950, 2960, 3550, 3560, 3750 Switch

If you’ve forgotten the password on a Cisco switch, you need to find out how to circumvent the security.  This is how you bypass a forgotten password on several Cisco switches.

Step 1 – Power off

Remove the power cable

Insert power cable and hold down the “mode” button for 4 seconds.

The mode will start to flash when it’s ready.

Step 2 – Cisco commands

Your Cisco switch will then helpfully display the 3 commands you’ll need.

flash_init

load_helper

dir flash:

**

Type in to the switch prompt:

flash_init

Now wait for the boot sequence to complete.  This is the slowest stage…

load_helper

dir flash:

****

Dir flash: is to allow you to list all the files held in flash memory.

We need to look for config.text.

****

Step 3 – Rename the existing config.text

Once you can see the config.text file listed, type in at the prompt:

rename flash: config.text    flash: config.old

to check the config.text file has been renamed:

dir flash:/

*****

Now boot the Cisco Switch (power off/on – and this time all passwords will be wiped).

The good news is that the old config.txt is still there – we try to keep old config files if we can.

 

Video

Here’s a video of the bypassing of a password in action.

 

 

 

 

Guess what? URL shorteners short-circuit cloud security – Ars Technica

http://arstechnica.com/security/2016/04/guess-what-url-shorteners-short-circuit-cloud-security/

Two security researchers have published research exposing the potential privacy problemsconnected to using Web address shortening services. When used to share data protected by credentials included in the Web address associated with the content, these services could allow an attacker to gain access to data simply by searching through the entire address space for a URL-shortening service in search of content, because of how predictable and short those addresses are.

Vitaly Shmatikov of Cornell Tech and visiting researcher Martin Georgiev conducted an 18-month study in which they focused on OneDrive and Google Maps. “We did not perform a comprehensive scan of all short URLs (as our analysis shows, such a scan would have been within the capabilities of a more powerful adversary),” Shmatikov wrote in a blog post today, “but we sampled enough to discover interesting information and draw important conclusions.” One of those conclusions was that Microsoft’s OneDrive shortened URLs were entirely too easy to traverse.

To search for shared cloud files, the pair performed a sample scan of 100 million bit.ly shortened domains, generating random six-character tokens, using 189 separate machines to access the bit.ly service’s search API, and a similar number of seven-character tokens by simply appending a “1” to the beginning of a random six-character string.

Searching for Google’s shortened URLs was simpler: prior to last September, Google only used a five-character token for the short URLs generated from Maps. The researchers discovered over 23 million Google Maps URLs in their samples, about 10 percent of which were for stored directions from one location to another and the remainder address locations. These were largely associated with specific Google user accounts, creating a potential privacy hole—the researchers could determine who shared directions based on home addresses:

The endpoints of driving directions shared via short URLs often contain enough information to uniquely identify the individuals who requested the directions. For instance, when analyzing one such endpoint, we uncovered the address, full name, and age of a young woman who shared directions to a planned parenthood facility. Conversely, by starting from a residential address and mapping all addresses appearing as the endpoints of the directions to and from the initial address, one can create a map of who visited whom. Fine-grained data associated with individual residential addresses can be used to infer interesting information about the residents. For instance, we conjecture that one of the most frequently occurring residential addresses in our sample (see Figure 4) is the residence of a geocaching enthusiast. He or she shared directions to hundreds of locations around Austin, TX, many of them specified as GPS coordinates. We have been able to find some of these coordinates in a geocaching database.

When presented with the information by the researchers, Google increased the size of its tokens for Maps short URLs to 11 or 12 characters.

The contents of the bit.ly address space searched also had privacy implications. Of the six-character tokens, “42% resolved to actual URLs,” Shmatikov wrote— 42,229,055 URL mappings, of which “19,524 URLs lead to OneDrive/SkyDrive files and folders, most of them live.” The seven-character tokens had a 29 percent hit rate, with 47,081 OneDrive and SkyDrive URLs—35.541 of them live. Since bit.ly URLs are not entirely random, the pair noted in the paper, it was possible to adjust the search to specific blocks of token addresses to get even higher success rates.

In total, the links gave the researchers access to over 1.3 million files in the OneDrive cloud, based on parsing of the full URLs discovered. Based on the data, the researchers concluded that about 7 percent of OneDrive short URLs linked to “open” accounts—files and folders that were shared with write access. There were hundreds of Google Drive links as well in the bit.ly data. “As with OneDrive, anyone who discovers the URL of a writable Google Drive folder can upload arbitrary content into it, which will be automatically synced with the user’s devices,” the researchers noted. That could make it possible for an attacker to mine shortened URLs for places to drop malware.

*****

You have to question why Google, with all their technical know how and riches, never thought to consider the privacy of their users.  It’s not like Google could argue that they aren’t technical enough.

Vivaldi – New Browser – With Duckduckgo Search

https://vivaldi.com/

vivaldi browser

vivaldi speed dial

Change the Search engines

I deleted Bing, Yahoo and Google, and added Startpage.com

The two privacy search engines are Duckduckgo.com and Startpage.com – so make sure they’re the only two that you can default to.

Cog (Bottom Left Corner)

vivaldi startpage

Speed Dial

Add speed dials for your favourite sites. You can see that I’ve added IVPN.

IVPN kicks in to prevent any accidental encrypted connections to the Internet. This is the failsafe setting.   I use the DNS servers of IVPN rather than the DNS of the ISP for ultimate privacy.

IVPN

www.ivpn.net

vivaldi speed dial

Ghostery

I added the Ghostery Chrome add on to stop trackers.  It worked!  So Chrome Add ons can be used with Vivaldi.  The Ghostery feedback bubble gives great feedback to remind you that you are always being tracked online.

http://www.ghostery.com

HTTPS EVERYWHERE – EFF – Encrypted Browsing

https://www.eff.org/https-everywhere

vivalid https everywhere.png

AdBlock Plus, Privacy Badger – Superb Addons

vivalid adblock plus

NO2ID – Surveillance Bill – Snoopers Charter

https://www.no2id.net/newsblog/2015-11/no2id-on-ip-bill-government-expects-parliament-to-swallow-an-iceberg/

The new draft surveillance bill is like an iceberg, with a vast bulk of technical change obscured beneath the surface, according to civil liberties organisation NO2ID[1]. Theresa May presented the Investigatory Powers Bill [2] to parliament today as a measure “consolidating and updating our investigatory powers, strengthening the safeguards”. But it amounts to a dramatic alteration in the powers already available not just to the intelligence services, but to police, tax inspectors, and officials and regulators in almost every department of state [3]. It replaces several pieces of complex and technical legislation.
Guy Herbert General Secretary for NO2ID, said:

“I would have more sympathy for the Home Secretary if she did not resort to glib hypotheticals about kidnapped children. This is not a proposed bill that is easy to understand or straightforward in effect.”
“The much trumpeted change in oversight focuses on a tiny portion of cases, the handful of warrants issued by Secretaries of State every day. The real issue is the tens of thousands of surveillance actions a day carried out by officials.”

“The Bill is an iceberg. It is easy to focus on the sunlight glinting on a few peaks, it is harder to grasp the important bits beneath the surface. What is clear is that Parliament is expected to deal with all of this before the expiry of the Data Retention and Investigatory Powers Act at the end of 2016 – to swallow the iceberg before its dimensions can be fathomed.”

 

Notes for editors:

1) NO2ID is the national campaign against the database state, the tendency to try to use computers to manage society by maintaining state files on the population as a whole.

2) Statement to Parliament 4th November 2015:

https://www.gov.uk/government/speeches/home-secretary-publication-of-draft-investigatory-powers-bill

3) Hundreds of official bodies have access to communications data and other surveillance powers, including bugging – which does not count as interception and does not need a warrant for an authorised agency.

IOT Privacy, Data Protection, Security – European thoughts on how to manage IOT

http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=1753

Page 9 of this European report on the “Internet of Things” states:

Do nothing: “Personal data today may be processed more easily and on an unprecedented scale by both private companies and public authorities, which increases the risks for individuals’ rights and challenges their capacity of keeping control over their own data (…). Moreover, there are wide divergences in the way Member States have transposed and enforced the Directive, so that in reality the protection of personal data across the EU cannot be considered as equivalent today.” IoT technology will lead to an by far increased amount of personal data being processed. The very nature of IoT technology, to autonomously process and communicate data without human intervention increases the need for not only harmonised technical standards but also legal requirements. Doing nothing might reinforce the adverse effects and seems to be the least preferable option.

Binding law: Binding law in combination with increased level of data protection enforcement seem to be the most promising option to achieve the goals to ensure a fundamental rights compliant and trustworthy development of IoT technology. As IoT technologies are in a very early stage of development, it also seems to be economically preferable to provide clear binding requirements already at this stage of the development. This allows for designing technology according to these requirements, rather than having to change already existing technology later on.

 

***

My thoughts on these options are that the American system is the “do nothing” option; which has adverse effects on privacy.  It is reassuring to note the comment from Europe, that this is the least preferable option.

Europe seems to support binding laws to curtail the impact of IOT on civilians.  The impact of IOT cannot be overestimated.  It needs to be tightly regulated, as the effects, on balance will be generally negative for most civilians.

 

IPhone – How to hack the iPhone password

You can buy this £120 iphone hacking tool in the UK from the fonefunshop.

Watch the hack here:

 

The website to buy this hacking tool at the fonefunshop is here:

http://www.fonefunshop.co.uk/cable_picker/98483_IP-BOX_iPhone_Password_Unlock_Tool.html

It’s a brilliant example of “brute force hacking”, as it’s so visual.

****

User Guide

At FoneFunShop we have been helping people setup their tools since 1996, so we understand the frustration of getting a new tool to work.

We made the following guide to help you get up and running with your new IP-Box, We hope it helps:)

 

1. Download Software and update IP-Box to 8.2v

Download and unzip new version 8.2v from FoneFunMembers.co.uk (you may need winrar to unzip it)
Here is a video showing you how to update the IP-Box V2
(This video will show you how to update your box firmware to new version 6.3, its the same method to update to 8.2) 

 

2. Fix unlock code parameter settings on your IP-Box

You need to do this to fix a bug in version 8.2v, if you dont do this you will find that your box will work too quickly at entering codes.
Enter
4500 in the each group of data interval (ms) area and click Download (free computer test plan 1) to the instrument button to program the box
just like the picture below.

Once this is done you are ready to use your IP-Box to unlock the passcode on your first iPhone

 

 

3. Check iOS of iPhone you Plan to bruteforce

Identify the firmware version of the iPhone and make sure its 7.anything

 

Method 1 (recommended):

Use the iPhone Network Check service this will tell you the exact iOS version the iPhone is using

 

Method 2.

download ifunbox2014 Download iFunBox

make sure you take the 2014 version

Install and run itConnect your iPhone to your PC (close iTunes if it opens automatically)

Click your phone when it displays in the bottom left corner (pictured below)

Your ios version is now displayed (pictured below)
Make sure it is 7.x.x

4. Setting up cables and connections
now you are satisfied the iPhone is running 7.x.x its time to hook up your ip-box and get it earning its keep.

first of all, close any ip-box software you are running, its not needed.

if you are using a charging cable you will need to connect your mini usb cable to PC and to the ip-box, as the power from your pc will flow through the ip-box and ultimately keep charging your iPhone while its being brute forced.

if you arent using a charging cable theres no need to connect the ip-box to your pc.

now, connect your light sensor to the disabled iphone on a black part of the screen, place it in a place you know would be well lit after a password is entered correctly (just above the slide for emergency area of the screen works for me).

push the sensor through the foam so its sitting on the glass and its all nice and flush
hold the sensor in place with tape.

finally connect your cable from ip-box usb port to the phone port.

5. Release the Beast

now all the connections are in place, press the button on the clip to start the brute force procedure.you will see the number increase by one number and a subsequent BUZZ as the code fails.

you should get Number…BUZZ…Number…BUZZ…Number…BUZZ etc. etc.

TIP: if you get Number .. Number.. Number BUZZ then its not setup right, try stopping the process and repositioning the light sensor and restarting the procedure.

Now leave it going, and go and do something else while it does its job.Once the IP-Box gets the correct code the iPhone menu will appear as normal, which will trigger the light sensor and ultimately your IP-Box will begin beeping and flashing the correct passcode number.

JOB DONE !!!!

Follow

Get every new post delivered to your Inbox.

Join 217 other followers