Tag: Security

systlin:

fieldbears:

ms-demeanor:

lyravelocity:

nihililithism:

notre-flame:

I really don’t understand anyone who still posts selfies at this point like. we’re all fully aware that the feds are monitoring us and using our photos to build a surprise database that will help them later it’s just not fucking worth it anymore 

Human brain: security culture

Monkey brain: validation nice

I will Not be cockblocked by spy nimrod fucks

I haven’t ever really talked about this before but I’d like to introduce a concept that I’m going to call “security nihilism.”

Here’s the deal: You’re already burned.

It’s over! There’s no going back! Your face is in a database and your DNA is in a database and your social profile is in a database and there’s nothing you can do about it. Even if you didn’t put it there somebody else did. Congrats, we’re all fucked!

Facebook builds shadow profiles on people who don’t have accounts. Surveillance cameras are everywhere. Your cousin signed up for Ancestry and your brother did 23&Me.

So what can you do about it? Essentially nothing. So there’s no point in panicking.

You know what you have to do if you want some kind of privacy? Start leaving your phone at home randomly. Or at work randomly. People don’t think about the fact that their cell phone’s location data (which is constantly tracking even if you don’t enable location data for apps) is a more effective way of tracking them than anything they post online and it’s *real* easy to get a warrant for that data. And if you suddenly ditch your phone for the first time in several months it’s suspicious as FUCK.

Automated license plate readers track your drive. Do you commute? Do you drive the same way every day? Why the sudden change to your routine? What were you doing that you needed to park your car and wander away suddenly? What are you hiding?

Complaining about people posting selfies when companies are compiling DNA databases sharing them with the FBI is like blaming ocean pollution on people using plastic straws when about half of plastic ocean trash is abandoned fishing equipment.

Do you use gmail? You’re fucked.

Do you have a bank account? You’re fucked.

Do you use public transportation? You’re fucked.

Do you go to school? You’re fucked.

Do you have a job? You’re fucked.

I had to track down a guy who didn’t have facebook or social media profiles, didn’t have a listing in the phonebook, didn’t have a linkedin. I started with his first and last name and ended with his supervisor’s phone number, a ten year history of his income, and his home address. I got to it through his son’s little league team.

And I’m fucking J. Random Nobody. I don’t even have shiny databases full of tracking data.

So you’re already burned. There’s no going back, we passed the tipping point. Even if you threw out your computer and shut down all your accounts and smashed your cell phone and lived in the woods there’d be video of you walking out of town for the last time and satellite images of wherever you ended up setting up camp.

I was never going to be able to hide from the cameras on the streets and the data in my cell phone and the scanners that look at the license plate of my car and the information that my school sold about my age and income and interests. So fuck it. Share a selfie.

[fyi the secret to actual opsec is to trust no one and to have no discernible patterns – being in a facial recognition database doesn’t matter if you make a point of not showing your face when you’re doing whatever you’re doing that you want to keep quiet; your goal isn’t to evade the facial recognition software as you’re on the run from the government, your goal is to never even show up on their radar]

Sorry folks, all of this is right. Getting judgmental at other people’s selfies and masking it as an opsec fail is just ignorant 😀

As a security professional;

Yep. Correct.

thebibliosphere:

papafargo:

athelind:

autisticcosplay:

flicker-serthes:

honestmerchantsailor:

pettyartist:

naamahdarling:

iconuk01:

brunhiddensmusings:

vampire-rooster:

the-real-d-sandman:

daisenseiben:

superllama42:

tilthat:

TIL one of Frank Abagnale’s first cons included, disguising as a security guard, hanging a sign above a bank drop box that read, “Out of service, leave deposit with security guard”. Later he commented how he could not believe it worked, “How can a drop box be out of service?”

via reddit.com

Apparently Catch Me If You Can was going to include this con but they had to cancel the scene because when they tried to film it people kept walking up and trying to give Leo their money.

So a professor of mine used to work at a bank back in the day. She says one day a guy in professional attire and a clipboard shows up in a big moving truck. He says he’s from the home office and they’re changing all the chairs. He’s needs them to just load all their old chairs into his truck and later he’d be back with the replacements.

And that’s how they gave away their office furniture to a conman whose master plan was “Wear a tie and carry a clipboard.”

Looking professional is just a pass to do whatever the hell you want.

Put a suit on and you can get almost anywhere.

there’s more to it, look nice and ACT LIKE YOU BELONG. If you don’t look like you belong there, people will stop you.

this smacks of a chef i heard of that was tired to death that every single person ordered their eggs ‘over easy’, so asked the waitress to say ‘were out of over easy, we have plenty of scrambled’ and nobody questioned it

How low must your self image be to plan to rob a bank and all you take is some second hand chairs?

I 100% believe this was a former employee with a grudge.

Kid you not, this is how a sister store of mine got their entire dog treat bar stolen.

A couple of guys said they were with maintenance and they were there to replace the old bar with a new one and the employees were like “Seems legit” and they wheeled them out.  The staff even helped them do it.

This is called a “Bavarian Fire Drill” and the trick to pulling it off is to have absolute confidence that it’s going to work. If you seem even the slightest bit nervous or hesitant, everyone will see right through it.

Case in point:

In 1906, a German con man named Wilhelm Voigt dressed up in a German Army captain’s uniform and entered the town of Köpenick claiming to be an “inspector” (inspector of what, he never specified). He managed to wrangle ten German soldiers and a sergeant into assisting him, ordered the local police to halt all telephone calls to Berlin for an hour, arrested the mayor and treasurer for nonexistent charges of crooked bookkeeping, and confiscated the town’s entire treasury complete with a receipt which he signed with his former jail director’s name. He only got caught (two weeks later) because his former cellmate blabbed, and was later pardoned by Kaiser Wilhelm II who found the whole thing hilarious.

That Kaiser is a definite bro.

This is why slytherins like to be fancy and professional looking

When you’re a trickster, it pays to be … low key.

I was hired to help test a security system once. I was sent in to a semi-large company and had to go through a list of certain objectives. My favorite one was “take something out of the building that is too big to hide on your body.“ I paired it with “get into a secured facility within the building.”

I walked in in my general business getup. Shirt, tie, jacket, nice pants, not quite “suit” because it was all just a little bit shabby and not exactly matching but not clashing. Nice briefcase. Clipboard.

Getting into the secured part was easy. Learned the name of the supervisor, told the security guard that “Cindy said they’d let me in without a problem on my first day. Something about the badges not being made fast enough.” Sure, no problem, go ahead.

Walked in, unhooked a PC tower, walked to the bathroom where I’d hidden a dolly earlier, went into a stall and changed into the outfit I’d had in the briefcase. It was what I’d consider workman’s clothes but a worker in an office, not like a construction worker.

Blue jeans, t-shirt, worker’s vest (low key), hat, good boots but 2nd hand.

Threw the tower on the mover’s dolly with a couple other things, stacked very slightly precariously but not likely to fall, walked over to the stairs leading down, and started going down to the way out, which I knew had a security guard on it.

As soon as I saw him see me I stumbled and yelled out. He came running over and helped stabilize everything. Helped me down the stairs. Held the door open for me and told me to “have a nice day” as I left. Never asked for my badge or even where I was going with the stuff.

Act like you know what you’re doing. Look like you belong. Be confident.

That’s 75% of it right there.

That is some Moist Von Lipwig bullshit right there and I am fucking delighted.

Shutdown: Dot-gov websites vulnerable to cyberattacks, certificates expiring amid funding pause

mostlysignssomeportents:

“With around 400,000 federal employees currently
furloughed, more than 80 TLS certificates used by .gov websites have so
far expired without being renewed.”

Federal workers went without their paychecks Friday, as Trump’s
shutdown of the U.S. government continues for 21 days and counting. With
no end in sight, concerns are rising that dozens of U.S. government
websites have become insecure or completely unreachable, as their
transport layer security (TLS) certificates expire.

A Thursday report from Netcraft estimates that the .gov websites are using 80 or more expired TLS certificates.

Sites like NASA, the U.S. Department of Justice, and the Court of Appeals are affected.

Funding to renew the certificates is on hold while the shutdown continues.

Any of the government websites with an expired cert becomes newly
vulnerable to any number of internet-based assaults, including man-in
the-middle (MITM) attacks that enable third-party bad guys to intercept
what passes between an internet user and a web application on the
affected site. Bad guys can eavesdrop on traffic,  assume the identity
of the government website, and siphon off data input by the user.

What kind of data? Maybe your name, your social security or tax ID
number, a whole lot of people are going to be poking around on IRS dot
gov this month. This could get bad.

https://boingboing.net/2019/01/11/shutdown-dot-gov-websites-vul.html

Sennheiser’s headphone drivers covertly changed your computer’s root of trust, leaving you vulnerable to undetectable attacks

mostlysignssomeportents:

Your computer ships with a collection of trusted cryptographic
certificates, called its “root of trust,” which are consulted to verify
things like SSL connections and software updates.

A recent report from Secorvo
reveals that Sennheiser’s Headsetup drivers for its headphones covertly
inserted two certificates into this root of trust. What’s more, the
certificate was ineptly secured, making it possible to guess the other
half of the key-pair (certificates come in pairs; what one signs, the
other can verify, and a well-formed certificate can never be used to
infer its matching other half).

Worse still: the Headsetup installer didn’t remove the certificates when
you uninstalled the software, leaving your computer in a vulnerable
state.

The upshot: anyone with access to the Headsetup installer could figure
out the signing key, then use that key to sign certificates that would
allow them to impersonate Google, Apple, Microsoft, your bank, the IRS
(etc) to your computer, in an undetectable way, opening the door for
malware, phishing, and other attacks.

https://boingboing.net/2018/11/29/check-your-headsetup.html