Josh Davis from Wired Science takes a closer look into the world of high tech crime.  Very fascinating video.

I’m impressed by this little device called the Yubikey which is the creation of a company called Yubico.  The Yubikey is a tiny form factor USB authentication device which produces a one time password for authentication purposes.  Essentially the Yubikey acts like a keyboard and auto enters passwords which are 32 characters in length (8 characters never change) so in layman’s terms this gives you a 32 characters password which is always different each time you use the Yubikey! (hence the one time pass key).

It should be noted also that you’ll need to authenticate with a Yubikey server.  You can build your own in-house server using Yubico’s basic SDK, click here for more info, or you can authenticate with Yubico’s own server using their API.

There is sure to be more Yubikey authenticating servers as support increases.

The Yubikey is around $44.00

First of all, be clear about what type of hacker your referring to… please!  The general term “hacker” can refer to different groups of computer professionals, and so often it is confused by the “press”  “White Hats” are “good hackers” they try to fight “Black Hats” who are generally criminals… most Linux users are “Hackers” as they are trying to improve the software they use!  So when this ad/article says “Hackers Can Turn Your Computer Into A Bomb” they should more appropriately say “Black Hats Can Turn Your Computer Into A Bomb!”…

Why does the press quickly jump to calling computer criminals general “Hackers”?

In a post yesterday I commented about an article in Information Week, part of my point is that hackers are sophisticated enough to get what they are after.  Motivation is the key, and the graphic below certainly supports this theory:

(click the thumbnail to enlarge)

Two days ago Information Week wrote an article about 3 medical students suggesting that there is a possibility of a pacemaker (with wireless capabilities) being susceptible to hacking. An excerpt from the Information Week article:

“Our investigation shows that an implantable cardioverter defibrillator (1) is potentially susceptible to malicious attacks that violate the privacy of patient information and medical telemetry, and (2) may experience malicious alteration to the integrity of information or state, including patient data and therapy settings for when and how shocks are administered,”

I suspect this will remain just what it is, a proof of concept. What low life would want to target some poor soul with a pacemaker is beyond me. Let’s assume for a moment somebody did attempt to hack one of these pacemakers, they could potentially murder the person they are targeting. I can’t see how the reward is valuable enough to initiate the action.

In the article the medical students claim that it is unlikely that this will happen:

“We believe that the risk to patients is low and that patients should not be alarmed,” the researchers say. “We do not know of a single case where an IMD [implantable medical device] patient has ever been harmed by a malicious security attack. To carry out the attacks we discuss in our paper would require: malicious intent, technical sophistication, and the ability to place electronic equipment close to the patient. Our goal in performing this study is to improve the security, privacy, safety, and effectiveness of future IMDs.”

Curiously though, their reasons above for why the risk is low are completely misguided. First they say someone would need to have malicious intent. Well, correct me if I’m wrong but most hackers do have some form of malicious intent, wouldn’t you say? The medical students continue by saying someone would need “technical sophistication”… this is perhaps one of the most asinine statements I ever read. Unfortunately many of these computer criminals are more sophisticated than these medical students would like us to believe. Many of today’s top information security companies are headed up by a former hacker.

Nevertheless, minus the irrelevant reasons why this wouldn’t happen according to these medical students, I have a theory. Maybe somewhere deep in the mind of the potentially malicious hacker lies some degree of morality, and maybe not!

Let’s hope in this case there is some morality somewhere.

I cam across one of the most interesting stories I’ve read in a long time.  A story on wired that is a must read.  It’s an engaging story about a teenage phone phreak and the FBI.

Press and hold “Control-Alt-Delete” on your keyboard and select “Start Task Manager”. You’ll see a long list of processes that you don’t recognize. How can you tell if these are harmless or malicious? Visit exeLibrary to find out. From the about page:

“exeLib is the fastest growing, most accurate, database of executable programs. Each program is stored in the database with some information: the file name, description, the effects, the risk factor, and a few other pieces of information, this information is then displayed to you in a readable, easy to use fashion.”

I’m a huge fan of Google. I forward all email into gmail, I use picasa for all my photo albums, I search with google, I’ve been investigating their Android mobile phone platform, I frequent their code repository, and the list goes on.

I find this latest Google endeavor a bit troubling. Google began piloting their newest medical records program yesterday with a clinic in Cleveland Ohio (as many as 10,000 patients).

I have to admit, there have been times when it would’ve been convenient to have access to my medical information, but I can’t get my mind around the fact that storage is up in the “cloud”, accessible from wherever.

The clinic in Cleveland Ohio currently has medical records in a digital data bank that offers their patients the ability to look at them online, so it’s not a huge change (unlike a lot of other hospitals).

The World Privacy Forum has voiced its opinion, saying that their concern lies in the fact that past identity theft has been an issue, and a company like Google who already has a huge amount of “other” data could just add to the problem.

There is a potential for some nasty new exploits. It’ll be interesting to see how well this pilot goes. I wish Google all the best.

Yet another horrific hack (depending on your view) has been demonstrated at the Black Hat conference in DC. Apparently two guys named David Hulton and Steve Muller are able to crack cell phone encryption used on (GSM) cellular signals (AT&T, Cingular and T-Mobile use).

For around $900 in equipment and a little bit of time you can decode a conversation. The method that Hulton and Muller use to decode a conversation will be made public at no cost. Now anyone with a some cash can purchase the equipment and start spying on you! There will be a “premium” version as well for 1/2 million dollars that decrypts in around 30 seconds.

According to Hulton and Muller they aren’t creating technology that does interception but only “crunches” data…

I’m a fan of new emerging technology and hacks, but this sounds like an invasion of privacy to me.

The darkest corners of the Internet are booming with help wanted ads looking for hackers who are fluent in foreign languages, such as Mandarin, Russian, and Chinese. If written poorly, scams like email phishing and grammatically incorrect web pages make it difficult to trick people in other countries into revealing their financial information. So what’s a hacker to do? They recruit, they need to ensure their spam looks authentic.

To target a specific countries biggest market, one needs a hacker that speaks that countries language. To use a metaphor, the bad guys see the Internet as one large piñata, they thrash it with every tool they can to see if and where it will break. What’s a crime to you and I is a business in the eye’s of an Internet criminal.

Unfortunately online scams are becoming more sophisticated, as David Marcus, security research and communications manager with McAfee says that only a few years ago spam was poorly written and less believable than it is now, but now it’s becoming more difficult to tell what is real and what is not.

The best advice is also the simplest. If something sounds too good to be true it is. Also keep in mind that any financial institution will never ask for private information through email. Never… click on any links in your email, even if it is from someone you know. It has become trivial to spoof email.

More often than not, common sense is all that is needed to protect yourself from a majority of Internet criminals.