The Edge of I-Hacked

from InformationWeek

The CIA on Friday admitted that cyberattacks have caused at least one power outage affecting multiple cities outside the United States.

Alan Paller, director of research at the SANS Institute, said that CIA senior analyst Tom Donahue confirmed that online attackers had caused at least one blackout. The disclosure was made at a New Orleans security conference Friday attended by international government officials, engineers, and security managers from North American energy companies and utilities.

Paller said that Donahue presented him with a written statement that read, “We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyberattacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.”

Information about which foreign cities were affected by the outage and other information related to the attack was not mentioned and is unlikely to be forthcoming, said Paller.

A call to the CIA asking for further comment was not immediately returned.

Donahue said that the CIA had thoroughly weighed the pros and cons of making this information public, according to Paller.

The prospect of cyberattacks crippling multicity regions appears to have prompted the government to make this information public. The issue “went from ‘we should be concerned about to this’ to ‘this is something we should fix now,’ ” said Paller. “That’s why, I think, the government decided to disclose this.”

The delegates at the meeting were sharing data about cyberattacks on critical utilities and resources, and methods of attack mitigation. One topic of discussion was the new SCADA and Control Systems Survival Kit, a document of best practices for SCADA systems. SCADA stands for Supervisory Control And Data Acquisition and refers to devices that control critical infrastructure like power generators, traffic signals, and dams. The security of SCADA systems has been a concern among federal officials for years.

In San Francisco on Thursday, following a private screening of the new documentary The New Face Of Cybercrime, Howard Schmidt, a former Microsoft (NSDQ: MSFT) executive and government cybersecurity adviser, mentioned ongoing concerns about the vulnerabilities of SCADA systems and noted that 85% of the U.S. critical infrastructure is controlled by the private sector. “No one should be minimizing this issue,” he said.

Citing two Government Accountability Office reports on SCADA security, Paller said that people have been adding wireless and Windows to SCADA systems without really thinking about security. “They’re gotten radically unsafe,” he said.

from techcrunch.com

A pact between the French Government, French ISP’s and the local music and film industry will see French users who download material from P2P networks losing their internet access.

French internet users will face a three strikes and you’re out policy, according to the NY Times. Users will receive a warning for each illegal download before losing their service on the third infringement.

French president Nicolas Sarkozy endorsed the deal with rhetoric that is bound to win him an Honorary Life Membership of both the RIAA and MPAA: “We run the risk of witnessing a genuine destruction of culture…The Internet must not become a high-tech Far West, a lawless zone where outlaws can pillage works with abandon or, worse, trade in them in total impunity. And on whose backs? On artists’ backs.”

The Far West of where? Perhaps I’m mistaken in believing that the far East (ie China) is the global hotbed of Internet piracy…or did he mean the wild west? lost in translation perhaps.

An independent authority supervised by a judge will manage the scheme and decide if and when users should lose their internet access.

Not surprisingly the recording and music industry loves the move, with the head of the IFPI (the international recording industry body) John Kennedy telling the Times that “this is the single most important initiative to help win the war on online piracy that we have seen so far..President Sarkozy has shown leadership and vision. He has recognized the importance that the creative industries play in contemporary western economies.”

from arstechnica.com

Over the weekend, a small storm erupted over new legal language that Verizon Wireless is passing quietly on to its subscribers. It appears as though the cellular provider is changing its terms of service to give the company the right to share sensitive calling data with third parties.

At issue is so-called Customer Proprietary Network Information (CPNI) data. While CPNI data does not include explicit information identifying your name and address or your phone number, it does include data on the calls you make and receive, and the services that you may make use of. This includes information about the features of your phone and its capabilities. The data could easily be mined to see what kinds of businesses you call and how often.

Verizon Wireless has been contacting its customers via snail mail to inform them of their intent to share CPNI data with its “affiliates, agents and parent companies (including Vodafone) and their subsidiaries.” The company says that customers who do not want their CPNI data shared need to call 1-800-333-9956 to “opt-out.” Upon dialing the opt-out number, Verizon customers will be prompted for their phone number, billing ZIP code, and last four digits of their Social Security Numbers (in the case of businesses, their Employer ID numbers). Failure to opt-out will be interpreted by Verizon Wireless as “consent” to the company’s data-sharing practices.

Although the Federal Communications Commission has said that it is very concerned about the protection of CPNI data, and is exploring the possibility of strengthening its rules on the issue, Verizon’s opt-out notice appears to fulfill the Commission’s CPNI disclosure requirements.

The Skydeck company blog was the first to suggest that what Verizon wants to do here is use CPNI data to offer targeted advertising. For its part, Verizon Wireless only says that it hope to improve its “services,” but give no concrete examples of what such improvements would look like. Without a doubt, the notice given by the company is extremely vague. Skydeck has a scanned PDF copy available for your perusal.

Verizon Wireless may just be a first mover among other telcos. The race is on in the telecom industry to tap the well of advertising for mobile services, and this opt-out approach is guaranteed to give Verizon a lot of CPNI data to share, an undeniable treasure trove of information for marketers. We don’t envision Verizon selling this data to third parties, using it instead  to build its own analytic advertising system to capitalize on the targeting in-house. The company isn’t likely to broadcast such plans until they are very close to fruition, however.

We will update this story when we hear back from Verizon about this new policy. In the meantime, if you’re a VZW customer and don’t want your CPNI data shared, you know the number to call.

from http://tech.nocr.at/

Sorry for the delayed posting of this, I had a lot of stuff to attend to when I returned home from Vegas.

I just wanted to take a quick second to thank all the people that made Defcon15 a lot of fun for me and my crew. As always Major Malfunction, Johnny Long, & Dan Kaminsky as always you guys put on a hell of a show. Thank you to all the speakers who put on some good talks this year, hell thanks to those of you whose talks didn’t live up to what I was expecting. Keep trying, it takes a lot of guts to get up there — who knows maybe I will submit a paper next year.

Defcon Goons: Thanks for being so cool this year, I had a great time hanging out with you guys. Xinc and Quiet, I like to think that I was the first one “tagged” by the goons,

but after reviewing our cameras, I see that you guys um “tagged” few other things. (no-class pun, may be nsfw) You guys are a cool bunch, I would love to be wearing a red badge for real next year.

The I-Hacked party went off the hook, when a few guys from the Wall of Sheep broke out their sticks and started swirling. I wont mention your names on here, and I don’t remember your nicks, but I had a great time hanging out with you guys, and I know I owe a few of you some shirts I promised..

Shoot me an email with some proof (like pick yourself out in a picture) and I will get them in the mail to you. For those of you who attended the party, I hope you enjoyed the give-a-ways provided by consolesource.com, those guys have been incredibly cool to deal with and I would encourage you to visit them any time you have any console modding needs. (Tell them I-Hacked sent ya) Grifter, thanks for everything you did for getting us the Skybox, and taking care of the last minute problems. I hope that is something we can do again next year.

Bunnie, thanks for coming threw with the Laser Etched VIP Invites — they were insane. I cant thank you enough for doing that. Sucks that bringing the etcher didnt work out this year, lets work it out for next year. =)

Joe, once again your badges blew me away — Like we talked about Surbo has some great ideas for next year’s badge.. He will be in contact.

Ninjas — You guys threw a hell of a party, that will be one that I wont forget. Thanks for the invite and cant wait for next year.

Lastly, thanks to everyone who came out, everyone who sported I-Hacked T-Shirts, and to all the Hackers who make Defcon possible! See you at 16!

You can see all of our photos we took here!

(P!nk Thr3@T , BT , Hevnsnt and Surbo)

from Make

Today in Germany the Hacker Tool Law goes into effect. With the
official name of Paragraph 202C it states that it is illegal to
possess, use, produce, or distribute a “hacker tool”.

In theory, law enforcement could come and arrest everyone here at
Chaos Communications Camp. A group of hackers gathered in solidarity to
protest this law. Hackers in Germany have been protesting the making of
this law for the past year and are stunned that it passed and has gone
into effect.

The term “hacker tool” is left vague. Nmap or other network monitoring system could fall into this category. Software likeKismac, a wifi detection software, closed down today. Phenoelit, a hacker group, also closed down shop and saying goodbye to Germany.

From Zdnet

The North Denver News reports
that Thomas Martel, 28, of Bonnie Brae, Colorado recently underwent
“whittling” thumb surgery to better enable him to use the
iPhone.

Thomas Martel, 28, of Bonnie Brae is a big guy. So he has a hard
time using the features on ever-shrinking user interfaces on devices
like his new iPhone. At least, he did, until he had his thumbs
surgically altered in a revolutionary new surgical technique known as
“whittling.”

“From my old Treo, to my Blackberry, to this new iPhone, I had
a hard time hitting the right buttons, and I always lost those little
styluses,” Martel tells reporter James Bently. “Sure, the
procedure was expensive, but when I think of all the time I save by
being able to use modern handhelds so much faster, I really think the
surgery will pay for itself in ten to fifteen years. And what
it’s saving me in frustration - that’s priceless.”

Well OK, Tom.

“This is really, on the edge sort of stuff,” explains
Dr. Robert Fox Spars, who worked on developing the procedure.
“We’re turning plastic surgery from something that people
use in service of vanity, to a real tool for improving workplace
efficiency.”

As Bently describes it, “the procedure involved making a small
incision into both thumbs and shaving down the bones, followed by
careful muscular alteration and modification of the fingernails.

We have received a FREE PASS to DEFCON15 from a very generous I-Hacked member.

We have decided to have a little contest — The winner will receive this free pass, an I-Hacked T-Shirt, and a VIP pass to the I-Hacked party all of which is worth over $120!

All you have do is submit the most Hackerish, scandalous, or ingenious i-hacked.com photo or image! Previous contests excluded Photoshops, but not this one. Examples of entries: Could be of someone in a I-Hacked T-shirt doing something they shouldnt, or a Photoshop of the word I-Hacked.com on the NYSE. The possibilities are endless.

Send all submissions to: defcon-entry@i-hacked.com

Contest will end Wed at Noon (central), and all entries will be posted on I-Hacked.com.

SPREAD THE WORD!

Just FYI Defcon starts THIS FRIDAY (8/3) SO HURRY!

from arstechnica.com

MIT Project aims human buffer overflow at Secret Service

By Nate Anderson
| Published: July 16, 2007 - 11:59AM CT

We’ve known for years that color laser printers can embed a series of tiny yellow dots on pages they print. The dots—almost invisible under normal circumstances—can be used to determine which particular printer produced the image. Essentially, each printer outputs its own serial number. This is great for busting counterfeiters but raises all sorts of privacy concerns. Now, MIT students are getting involved in the campaign against the dots with the new Seeing Yellow project.

Seeing Yellow is the brainchild of MIT’s Computing Culture research group, which “want to preserve the right to anonymous communication by fighting both printing dots and the government bullying used to sustain them.” The project was conceived after the team received word that an anonymous hacker had called his printer manufacturer to complain and was subsequently visited by the Secret Service, who were curious to know why someone with nothing to hide would want to disable the tracking dots.

The dots (image courtesy of Seeing Yellow)

Seeing Yellow now encourages waves of people to contact printer manufacturers, enough so that the Secret Service and other government agencies cannot simply single out those who call to complain. The project is simple: suggest that people call manufacturers, then provide contact information and talking points. That’s it. So far, according to the site, 434 people have called.

Not sure if your printer is on the list? The EFF has a partial list of dot-printing machines. The dots are nearly invisible to the naked eye, but Seeing Yellow points out that the easiest way to see them is to shine a blue light on one of the printed pages. If the dots are there, they will show up as tiny black marks.

from arstechnica

Today the US Senate Committee on Commerce, Science, and Transportation has passed S. 704, a bill that would make it a crime to spoof caller ID. Dubbed the “Truth in Caller ID Act of 2007,” the bill would outlaw causing “any caller identification service to transmit misleading or inaccurate caller identification information” via “any telecommunications service or IP-enabled voice service.” Law enforcement is exempted from the rule.

While we all probably wish this would outlaw caller-ID blocking (think “Private”), it won’t. The proposed legislation only targets misleading caller ID spoofing, such as pranking your buddy by sending along “Bush, G.H.W.” with your next VoIP call.

Kinda makes me want to setup a Asterisk box…