As someone who has programmed since the late 80’s the scariest thing is just how flaky everything is.
It’s turtles all the way down except the turtles are horribly written unmaintained code that no-one commented and the guy who wrote it left the company 5 years ago to take up yak farming.
Our entire modern economy and to some extent society is entirely dependent on systems that where written by people like me.
That is fucking terrifying.
Professional Hacker(Penetration Tester) here.
I would say the scariest thing I run into on a daily basis is how shoddy in the security sense most of the code out there is. I deal mainly with web applications, and it amazing some of the things the developers come up with. It might be super fast and functional, but horrible security wise. The number of big development firms that have no security cycle or qa cooked into their dev cycle is astonishing.
The second is just how little understanding in the general public there is about how tech actually works, what its doing. Everyone uses it for everything, yet there are people out there that are in charge of commerce apps that take your financial data that don’t know what a web browser is. I actually think the general population is getting more tech illiterate. As devices have become more user friendly, the level of IT knowledge required to use them has gone down dramatically. So what we have now is the equivalent of a bunch of toddlers running around with bazookas and not knowing what makes them go boom.
My experience has been that a non-trivial (30-90% depending on the location) of developers are just trying to keep their heads above water. They really aren’t competent enough at their job so just getting the feature dev’d or the bug fixed is all they can really manage. The thought of them stopping in the middle of, “Holy fuck I need this working by tomorrow night!” and saying, “But what about SQL Injection?” is just something that wouldn’t occur to them.
Making matters worse is that often the first person to bring up the whole “SQL Injection matters” in those environments is some obnoxious neckbeard who describes everything in the same condescending tone whether it’s legit (guarding against SQL injection) or not (making every single thing ever configurable or adhering to some other esoteric principle that they care about).
I’ve honestly just tried to stay away from WWW facing web-apps as much as possible b/c while I think I’m very good at my job, I wouldn’t bet my peace of mind against my ability to make a financial app that’s safe to send out to expose to the world.
I fix laptops, a few weeks ago I was called in to fix 5 or so laptops for a small company 3 girls in the office.
Needless to say, every computer had a backdoor and keylogger sending to an IP address originating in India.
Fixed it, asked the girls, if money has ever disappeared from their credit card or if customers ever complained about missing money.
Its scary to think, maybe 95% of the population is computer illiterate on protecting themselves from the most basic of things.
You really aren’t going to get anything too “scary” here, and certainly not in any language an amateur would understand, but here’s some info/tips/whatever:
- You can use a very basic and very old (but still working) exploit called ARP Spoofing (or ARP Poisoning) to intercept any traffic on your LAN (which on something like an office or college network may include hundreds of people). You can use this method to record everything they do on the Internet and even extract any usernames and passwords they may use (Facebook, GMail, etc.). But what about SSL? You use a MiM attack. But won’t that throw a cert error? Yes, but most people ignore those. Bottom line is be careful what you do on public and semi-public (office) networks and try to just wait until you get home if it’s sensitive data. Certainly don’t do any banking on the airport/hotel WiFi.
- The best way to get someone’s password is to just ask for it. I really can’t believe how many people still refuse to believe this, but administrators will never ever ask for your password. Stop giving that shit out. If you get an e-mail asking for your password, it’s always a scam. Always always always. No exceptions. Seriously, people.
- Don’t use the same password for anything. Hacker 101 is that once you compromise one account (ideally e-mail), you go through their e-mail notifications to see what other accounts they have. Then you go to those sites and try to log in with the same password. It usually works. Also you really shouldn’t even use the same username for difference sites, because if I crack an account other than your e-mail address I can still just Google your username or try sites I think you might visit. So your Reddit username should not be your GMail username and they certainly should not be the same password.
- You can rather easily build at home a device which intercepts GSM (cell phone) data in the area. You can also easily build or buy a device which jams cell phones in the area. I should note that it’s a felony to use or posses these.
- Yes, we can use malware to remotely activate your webcam, microphones, and whatever else is plugged into your computer. Cover the lens when you’re not using it. Ditto on cell phones, but there’s no much you can do about that short of removing the battery.
- Everyone should know about ATM skimmers. Google it.
- Large parts of hacking rely on exploiting the user, not the machine. We’ll try to trick you or trap you into doing something stupid. It’s much easier and more reliable than trying to actually compromise software. Most penetration testing firms (hackers you pay to test your network security) have a 100% success rate when they’re allowed to exploit users.
I used to work for a defense contractor. There was a major push for cyber security and at one point, the company had launched a campaign where they hid a token under multiple layers of security and had a competition to see who can get to the token first. About a week or so later, we all received an email indicating that a user had broken in – via social engineering.
Any router using WEP is insecure.
You can have the strongest IT system in the world. You can spend billions on software & hardware protection, but if I can ring the new employee called “Cathy” and say “Hey, Cathy, you’re new here right? Yeah it’s John from IT Security, There’s been a breach and I need Sys Admin password quickly so I can patch it up”. “Ok” says Cathy, under stress to fix the problem And there I have it. I got the password.
It’s called Social Engineering and 9 times out of 10 that’s how people hack accounts.
Those browser warnings about untrusted SSL certificates that everyone automatically bypasses could be an indicator that you’re a victim of a man-in-the-middle attack. In other words, your data is being routed through an attackers system, possibly through an ARP or DNS spoofing attack. By bypassing the warning messages, you have (possibly) just agreed to trust an attacker supplied, self-signed SSL certificate. This isn’t the case 100% of the time, but def a reason to pause and scrutinize the warning.
Nearly every single Comcast router I’ve ever tested is vulnerable to a WPS (wifi protected setup) authorization bypass vulnerability. Disable WPS to protect yourself against it. i.e any asshole can join your WPA2 protected WiFi network in 10 hours or less with zero knowledge of your pass phrase.
Many office buildings have secure areas that require an ID badge for ingress access. However, when exiting said secure area a proximity sensor detects the presence of a person on the secure side, and unlocks the door without requiring an ID badge. It’s possible to abuse the behavior of the proximity sensor on the secure side of the door using a can of compressed air, effectively bypassing the need to have a valid ID badge. Hold the can of compressed air upside-down, place nozzle between door cracks, aim toward the ceiling (toward the location of the proximity sensor on opposite side of the door), pull trigger to spray.
If the proximity sensor is improperly configured, the door will open as though a person was on the opposite side exiting the secure area.
Physical storage doesn’t last for as long as people think. CDs and DVDs have a finite lifespan. If you have photos backed up on a disk in the attic from the 90’s they could potentially fail if you ever wanted what was on them. Same thing with USB flash drives and HDD’s a decade or two before they fail.
This isnt a problem right now but imagine a world where everything is stored digitally as opposed to hard copy (which also has a finite lifespan) your grandkids wont have any of your pictures or files because they will all be gone. Sure you could do online backups but even then how long will that service be around? How many times has a company gone out of business taking its media with them?
Edit: To make myself clearer of course Google can keep raid arrays in different locations around the world and replace failing drives. Yes you can keep your data online, but an online backup is still stored on physical media, where will that company be in a 100 years?
11. Uh, wat
The fact that wind turbines and power stations are publicly accessible.
- People have hacked cars and most over forms of transportation. These hacks have included the ability to stop your brakes from working and moving your steering wheel. While the knowledge is currently held by a small group of people, it never stays that way and I predict that “murder by hacking/trolls” will be old news before 2020.
- If the GPS system were to ever fail, just like GLONASS did the economic damage would easily be in the 100’s of billions as financial institutions depend on GPS for timing. Note that this technology was developed 19 years ago based on a 41 year old theory. One mis-programmed counter could bring it all down if it wasn’t caught.
- Everything from power plants to dams to oil pipelines still uses SCADA a protocol developed with 1990s era security practices. These systems are connected to the internet. One worm on the scale of ILOVEYOU built to target these systems would have wide reaching real world consequences including cutting off municipal water supplies.
- While bug bounty programs are a step in the right direction, from an economic perspective it is orders of magnitude more profitable to sell a zero-day vulnerably on the black market then it is to sell to a company. This means that most software zero-days are being sold and horded instead of patched. In practical terms this means that almost all of the software you use is vulnerable.
- Taking all of those things together gets us the scariest part of the picture. In the next decade I predict that there will be a cyberwar or a terrorist attack over the internet. People will die and the economic damage will be equal to, if not greater then a bombing of a major city. This will provoke a backlash that will fundamentally rewrite the way that we interact with our computers. I cannot even hazard a guess as to what direction that will take but if Computer Fraud and Abuse Act is anything to go by, it will not be pretty.
- There are open source programs out there that let you build your own software defined radio. People use them to listen in on satellite communication.
- Cubesats are almost economically viable for the average person to build and launch one. This means that we could soon see high-school science projects that involve launching something into space and talking to it. Think about that for a moment, it only been 57 years since mankind first put something into orbit and we have mastered the technology to the point that it is possible for hobbyists to get involved. There are people alive right now who are older then spaceflight.
- Access to supercomputers is becoming easier and easier. This is changing the face of everything from engineering to art. Soon people will be able to access more computation power then their brain could ever match and use that to create stuff!
- RepRap exists as a wiki for open source 3D printers made out of (mostly) 3D printer parts.
From my experience working in customer service / technical support for different US companies, the worst security questions out there are:
- What is the name of your favorite book? Most common answer: The Bible
- What is the name of your favorite vacation spot? Most common answer: Hawaii
- What is the name of your favorite teacher? Most common answer: Jesus
1. Metadata: almost every consumer device is designed to track the movements and activities of owner. digital cameras, cell phones, scanners, printers, camcorders, all save files that are stamped with metadata, date, time and serial number of the device. printers put a tiny encoded serial number in the corner in almost invisible yellow ink. If you post a naked picture to /gonewild and use the same camera to post pictures to facebook, pervs, companies and intelligence agencies can track you by the metadata. and use it to build a detailed picture of your life by linking online accounts that may appear separate to the untrained eye.
2. Databases: online analytical processing (sometimes referred to as ‘big data’) : This is something not many people, even techies are not fully aware of. The power of databases is extraordinary to merge databases about people, all you need is a common ‘unique identifier’, this could be a SSN, a telephone number, an e-mail address, but also something less tangible, like a signature generated from your browser habits (how many people really visit the sites that you do on a daily basis), your browser settings (screen resolution, fonts installed, preferences set) etc.
All you need is one common unique identifier to merge 2 databases containing potentially millions of records about millions of people. There is a huge black-market for databases, hackers steal databases and put them on bittorrent, companies go out of business, often the most valuable asset during liquidation is the customer database. There are companies, agencies and individuals who collect and merge databases in order to harvest marketing info, or simply sell access to it as a service.
Almost every time you hear about a data breach and you are asked to change your password, it’s likely that all other information you sent to that company is also in the hands of somebody untrustworthy, companies often encrypt/hash/salt their password fields, they don’t protect user data in the same way as it’s not practical for them to do so.
3. Cryptography: People need to learn how to encode their messages, to inform themselves about applications that can be trusted channels of communication, that use an openly auditable, peer reviewed process in it’s development. if these applications don’t yet exist we collectively need to start funding them as basic, simple to use tools of communication.
4. Centralized Systems (aka ‘the cloud’): ok, the cloud is a loaded term, it’s a buzz word in IT with 2 meanings, one meaning is hosting of server and bandwidth provided by companies like amazon, azure etc. you are an IT / developer who has an application in mind for 100 servers (but might not need that many) then this is great.
The other meaning of the cloud is when a company asks you to do something that would be normally done on your local PC, on their server. THIS IS A BAD FUCKING THING! what they have done is re-named centralized computing common in the 1970s where you had to ask an authority for permission to run code, and were only allowed to do what you wanted after receiving approval. This architecture is inherently authoritarian and undermines the power of the user. When Adobe moves photoshop to the ‘creative cloud’ they are asking you to trust them to store all your work in progress. if these companies go out of business, or if they upgrade the software, or choose to double the price, you are fucked! you loose access to all your previous work, you can’t export or save your files, and you are sharing your files with a 3rd party, same goes for dropbox, office 365, google docs, but even things we take for granted, web based e-mail. If webmail services were secure why do businesses individually pay for expensive mail servers, software and maintenance.
5. The cost of free: people know this but have not thought about it deeply enough. the expression ‘If You’re Not Paying, You’re The Product’ completely rings true.
6. You’re paying too much for crap software: with the amount we all pay in software licenses each year (for basically the same thing with a few new features and a little window dressing), for a fraction of this we can fund open source software developments that can be used for more, did you know that you can use VLC player to record anything to a file, stream from your webcam to the world, screencap/stream your desktop, projects like mediagoblin let you set up your own youtube type media sharing site. Over the past decade, consumer OS’s and ISPs have had the server based features removed so that they can be sold back to us at a premium, general purpose computing and the promise of the internet is that anyone connected can be a server, can be a service provider, and not just a consumer.
Almost all industry computers(think controllers for huge factories, power plants, water reclamation, distance heating, etc…) have well known default passwords or even hard coded admin accounts. Back in the day, this was not a huge problem because you would run them on private networks with no connection to the internet.
Nowadays, the internet is available everywhere and much much cheaper than private networks, so many of these industry computers are now reachable from the internet.
People that know what they are doing would only make them accessible over a VPN, but there is a very large number of people that shouldn’t be allowed anywhere near a keyboard…
Every single network maintains something called an ARP table. ARP stands for Address Resolution Protocol. Its basically a table that matches an internal IP address (assigned by your router to each local machine) to a MAC address (a hardwired ID for every network card on a device). So it knows what machine gets what data.
The super scary thing about this is, it is 100% entirely unsecured on nearly every local network. Anyone can write ARP data, even the data for other machines. Which means I can tell every single device on the network that my MAC address, and therefore my machine, is the router. Which means all data on the network will come to my laptop, before my laptop sends it to the router. I see literally every piece of data sent or received by every computer in the network.
Not only do I see the data, but I can edit it on the fly. I can enact a DNS spoof, assign myself as the DNS server for the network, and decide which Domain Names go to which IP. You search http://www.google.com, and maybe I send the data to “biggiantblackdicks.com”. Or maybe even worse, I set up my laptop as a webserver with a fake facebook page and redirect all Domain Names to my IP. Instead of logging in to facebook, you just willingly give me your account credentials.
Not only is all of this possible, its really easy. Script kiddie shit, automated entirely. Public wifi is extremely insecure for….pretty much everything. In fact, it doesn’t matter if its a public network at all. Anyone on nearly any network can do this.
In the mid 70s, IBM submitted an encryption standard to the National Bureau of Standards for encrypting sensitive documents. The NBS scrutinized it, thought it was good, and sent it off to the NSA for comments. The experts at NSA looked at it and recommended some mysterious tweaks that befuddled some of the leading academics at the time. Some of the tweaks, like the shortened key length and “S-boxes”, looked suspiciously like security holes that the NSA could plug into and decrypt messages at will. The Senate reviewed it and deemed it acceptable, and so it served as the encryption standard from then on.
In 1990, ~15 years after the proposals from NSA, academics published a technique known as differential cryptanalysis to break block ciphers. Turns out that those mysterious recommendations from the NSA back in the 70s were engineering specifically to resist attacks based on differential cryptanalysis. The Data Encryption Standard didn’t have any defenses against linear cryptanalysis, however, which was “discovered” 2 years later. One must imagine that the NSA most likely knew about the technique in the early 80s as well. This puts the NSA at about a 15 year advance over the academic community, so I wouldn’t be surprised if the NSA is currently discovered new techniques that won’t be publicly known until 2030.
Most large retailers have cameras and audio throughout the entire store. They actually have facial recognition and tie your purchase transaction (name) to your face.
They can also monitor your movements and what you’re saying from their headquarters. It’s one giant system, everything is connected. I was sitting in a board room with shoppers on the ‘big screen’ monitoring their actions.
Essentially you can just click a name from people in your stores and watch and listen to a shopper from the minute they are detected (even from some parking lots).
That is just the beginning. They also log what your movements throughout the store are, if for example you spend time in the video game section they may send you coupons or target you on facebook with Playstation ads.
This is not a ‘big brother’ fear, this is from experience working in their security departments.
Bonus – They also have good algorithms to determine if you’re likely pregnant based on shopping profile or if you’re cheating on your spouse.
Extra Bonus – If you spend time in the video game section and then walk to the back of the parts section or the crappy clothing section (far corner) they will send a plain clothed shopper to determine if you are (probably) shoplifting.