Page 2 of 2 FirstFirst 1 2
Results 31 to 43 of 43

Thread: wikileaks year zero vault 7 - CIA hacking files

  1. #31
    Join Date
    Nov 2011
    Location
    At Lunch
    Posts
    9,314
    Mentioned
    732 Post(s)
    Quote Originally Posted by DigitalChaos View Post
    two years ago? Man, social engineering has been a thing for decades. I feel like Mitnick going to jail in the mid 90's is what pushed it into the mainstream. It's still one of the more common ways people get access to your stuff, if you are targeted.


    Fun fact about the SE competitions: Women tend to absolutely dominate them, even complete novices. Also, women tend to be the most resistant to social engineering attacks.
    I love throwing this factoid out when doing talks. It encourages people to experiment who may be novices, and it messes with poor that have poor understandings of gender equality :P


    Anyway, I have taken to showing people this as an intro video to what Social Engineering is. It was shot at the 2015 SE competition area at DEFCON.
    And I have absolutely used my own kids even worse shit, especially in person... (im an asshole, i know)
    HOLY SHIT. Why don't they use this in training videos for customer service??

  2. #32
    Join Date
    Dec 2011
    Location
    san fransisco
    Posts
    858
    Mentioned
    30 Post(s)
    Quote Originally Posted by allegro View Post
    That is in his article, speaks to subjective "worry." Like, just because you aren't paranoid doesn't mean people aren't to get you ... har har har. The conspiracy theorists think the NSA is living in our Amazon Echo all day, so now they will think that a CIA agent in in the baby monitor, Nest thermostat and the remote-read RF water meter and S watching you on your home security system.

    (But I still won't get an Echo. I also have electrical tape on the cams on my laptop and iMac. I'm not a drug dealer or a terrorist but I don't want people seeing me walk around naked. If the CIA or NSA has it, so do bad guys - that's my motto.)

    You can't plug a USB into an iPhone.
    most "smart" are communicating to the internet in some way the question becomes becomes what does that info look like, when siri first launched it was found that the communication to the severs was in plain text what does that mean? if some one had a packet "sniffer" you could watch the traffic you could read there queries, but there is some common sense involved, no I'm not going to say alexes, were can I score some heroin,I also would not use a phone to unlock my house or start my car car. as with most thing your "smart" fill in the blank is usually smarter than you.
    my .02
    -Louie

  3. #33
    Join Date
    Dec 2011
    Posts
    5,041
    Mentioned
    162 Post(s)
    Quote Originally Posted by Louie_Cypher View Post
    cool stuff if you go to 25 this year let me know i would be happy to buy you a beer
    -louie
    i have been there for the last 4 years. I hope to go this year, but never know until like a month before due to how chaotic life is. This year is even more chaotic...


    If you want, connect with me via twitter. I use it lightly but primarily for my infosec stuff (that i can talk about publicly) and for meetups at the conferences.
    http://www.temporary-url.com/p2SfGz (anyone is welcome to connect, but i'm using a link that expires in 24hrs so it doesn't get cached by search engines. just PM me if it's dead)



    To loop this back to the thread, here is a hack of a Samsung TV's camera that was demo'd in 2014 in the DEFCON kids area. It's funny seeing it get headlines now that the CIA is copying it.

  4. #34
    Join Date
    Nov 2011
    Location
    At Lunch
    Posts
    9,314
    Mentioned
    732 Post(s)
    Quote Originally Posted by Louie_Cypher View Post
    as with most thing your "smart" fill in the blank is usually smarter than you.
    my .02
    At first, I wondered what somebody would do with the data from a programmable smart thermostat, but then I remembered that it could tell a burglar when you're asleep or not home.

    I know that the Government has already tried to subpoena data from Echo/Alexis but Amazon won't give it up; if the Government figures out how to HACK the data without needing a subpoena, that doesn't mean the evidence is admissible.

    I'm more afraid of nefarious people getting my smart data than the Government.

  5. #35
    Join Date
    Dec 2011
    Posts
    5,041
    Mentioned
    162 Post(s)
    Quote Originally Posted by allegro View Post
    That is in his article, speaks to subjective "worry." Like, just because you aren't paranoid doesn't mean people aren't to get you ... har har har. The conspiracy theorists think the NSA is living in our Amazon Echo all day, so now they will think that a CIA agent in in the baby monitor, Nest thermostat and the remote-read RF water meter and S watching you on your home security system.

    (But I still won't get an Echo. I also have electrical tape on the cams on my laptop and iMac. I'm not a drug dealer or a terrorist but I don't want people seeing me walk around naked. If the CIA or NSA has it, so do bad guys - that's my motto.)

    You can't plug a USB into an iPhone.
    To counter Rob, he may be downplaying it TOO much. It was made clear that more than just the CIA have these tools now. It's also not impossible to take these attacks that require physical access and adapt them for network delivery. In fact, most attacks evolve this way.


    Internet attached bullshit like the Echo and thermostats are security nightmares for multiple reasons. Even the ToS for some of the smart TV's explicitly tell you to be careful of what you say around them. The average person should still be worried about that stuff. It's not the CIA, but all the other miscreants. Those devices are poorly secured and not maintained anywhere near as much as the laptops and mobile phones that have cams/mics on them as well. I'm never going to buy those things for everyday use. There will come a day when I have no option, and I will open the TV and physically remove the microphone, blind the camera, and pull the wifi antenna.


    Quote Originally Posted by allegro View Post
    HOLY SHIT. Why don't they use this in training videos for customer service??
    It's starting to get there... but there needs to be more attention. The attention rarely happens until a big story like this blows up. If all you have is a proof of concept attack, you have to really hype it up to get press coverage. You end up feeling like a tool doing it though :/

    Even Amazon's "2 factor auth" can be circumvented with a call like you saw in the video. It's so frustrating having all these backdoors thanks to poorly trained customer service reps that are given too much admin power.

    Quote Originally Posted by allegro View Post
    At first, I wondered what somebody would do with the data from a programmable smart thermostat, but then I remembered that it could tell a burglar when you're asleep or not home.

    I know that the Government has already tried to subpoena data from Echo/Alexis but Amazon won't give it up; if the Government figures out how to HACK the data without needing a subpoena, that doesn't mean the evidence is admissible.

    I'm more afraid of nefarious people getting my smart data than the Government.
    Well, a smart thermostat is literally "attaching fire to the internet" if you think about it. Sure, losing heat when you want it is going to be a massive annoyance. If you are old and live in a very cold area, it could kill you though. There was a recent issue with the Nest thermostats that caused a ton of them to fail for a few days. It was just a bug. People were pissed. Maxing out your heat while you are on vacation can bring some really big surprise gas bills, great for revenge. And the heat exchangers are surprisingly delicate, not too hard to crack them if you run them like an idiot. A cracked exchanger pumps carbon monoxide into your house.

    But really, its a computer inside your network that can see everything happening inside your network and can relay it all outside of your network. That opens up tons of possibilities. Some of them hurt you. Some of them hurt everyone (Mirai botnet that we have only just started seeing the beginnings of).



    edit: as for burglars... most aren't smart. But there are so many ways to check for occupancy and/or targets with $$$ thanks to technology. $200 thermal cams to see if the house is warm. Bluetooth scanners to see which houses are filled with valuable electronics. etc.

  6. #36
    Join Date
    Dec 2011
    Location
    san fransisco
    Posts
    858
    Mentioned
    30 Post(s)
    Quote Originally Posted by DigitalChaos View Post
    To counter Rob, he may be downplaying it TOO much. It was made clear that more than just the CIA have these tools now. It's also not impossible to take these attacks that require physical access and adapt them for network delivery. In fact, most attacks evolve this way.


    Internet attached bullshit like the Echo and thermostats are security nightmares for multiple reasons. Even the ToS for some of the smart TV's explicitly tell you to be careful of what you say around them. The average person should still be worried about that stuff. It's not the CIA, but all the other miscreants. Those devices are poorly secured and not maintained anywhere near as much as the laptops and mobile phones that have cams/mics on them as well. I'm never going to buy those things for everyday use. There will come a day when I have no option, and I will open the TV and physically remove the microphone, blind the camera, and pull the wifi antenna.



    It's starting to get there... but there needs to be more attention. The attention rarely happens until a big story like this blows up. If all you have is a proof of concept attack, you have to really hype it up to get press coverage. You end up feeling like a tool doing it though :/

    Even Amazon's "2 factor auth" can be circumvented with a call like you saw in the video. It's so frustrating having all these backdoors thanks to poorly trained customer service reps that are given too much admin power.



    Well, a smart thermostat is literally "attaching fire to the internet" if you think about it. Sure, losing heat when you want it is going to be a massive annoyance. If you are old and live in a very cold area, it could kill you though. There was a recent issue with the Nest thermostats that caused a ton of them to fail for a few days. It was just a bug. People were pissed. Maxing out your heat while you are on vacation can bring some really big surprise gas bills, great for revenge. And the heat exchangers are surprisingly delicate, not too hard to crack them if you run them like an idiot. A cracked exchanger pumps carbon monoxide into your house.

    But really, its a computer inside your network that can see everything happening inside your network and can relay it all outside of your network. That opens up tons of possibilities. Some of them hurt you. Some of them hurt everyone (Mirai botnet that we have only just started seeing the beginnings of).



    edit: as for burglars... most aren't smart. But there are so many ways to check for occupancy and/or targets with $$$ thanks to technology. $200 thermal cams to see if the house is warm. Bluetooth scanners to see which houses are filled with valuable electronics. etc.
    same case subpoenaing amazon also had a "smart" water meter, which data they trying to use for time and usage to prove he hosed off his patio of blood tech savvy lawyer's, now we're truly fucked which why I give money to these guy's https://www.eff.org/
    =louie

  7. #37
    Join Date
    Dec 2011
    Posts
    5,041
    Mentioned
    162 Post(s)
    oh, @allegro ... i forgot to mention something. You said that iphones cant have a USB device plugged in. Actually, they totally can with an adapter like this. I use it all the time to connect random shit to my iphone. You also have all those public charging stations in hotels, airports, etc. Never ever use that shit! If you absolutely have to, use a "USB Condom" to cut the data lines and only allow power charging. Better to bring your own charger that plugs into AC. Or use a USB battery pack as the middleman between your phone and the dirty dirty public charge cables/ports.

  8. #38
    Join Date
    Nov 2011
    Location
    At Lunch
    Posts
    9,314
    Mentioned
    732 Post(s)
    Quote Originally Posted by DigitalChaos View Post
    oh, @allegro ... i forgot to mention something. You said that iphones cant have a USB device plugged in. Actually, they totally can with an adapter like this. I use it all the time to connect random shit to my iphone. You also have all those public charging stations in hotels, airports, etc. Never ever use that shit! If you absolutely have to, use a "USB Condom" to cut the data lines and only allow power charging. Better to bring your own charger that plugs into AC. Or use a USB battery pack as the middleman between your phone and the dirty dirty public charge cables/ports.
    Who the fuck doesn't bring their own charger? Morons? It isn't like they WEIGH anything. Wtf.

    I meant USB without an adapter, a straight USB connection. I have Bluetooth headphones, the only thing I connect to my iPhone is my own charger.

  9. #39
    Join Date
    Dec 2011
    Location
    san fransisco
    Posts
    858
    Mentioned
    30 Post(s)
    Quote Originally Posted by Louie_Cypher View Post
    same case subpoenaing amazon also had a "smart" water meter, which data they trying to use for time and usage to prove he hosed off his patio of blood tech savvy lawyer's, now we're truly fucked which why I give money to these guy's https://www.eff.org/
    =louie
    I'm going to type this in a soft soothing font take a nice deep breath exhale and relax, this same CIA,has killed people, toppled governments, conducted phycological, biological, and chemical experiments, on an unknowing US population, are they putting chemical's in the water to turn me and the frogs gay? (probably not, although Daniel at the gym has been looking pretty sharp lately), case in point it most likely has zero effect on you!It does however shed light on technology privacy, information and these guy's: these guy's https://www.eff.org/, but if you knew how often you were under surveillance, during a day you would not leave your house. could also be a plant by trump to demonize the CIA before they release all the info they have on him. and last time I checked I could still say the president idiot, oompaloompa that somehow escaped the evil clutches of Willie wonka had a rich dad who died left him a fortune, and became president, without being sent, to a re-education camp in Provo UT, my eyes are pinned open and force to watch celebrity apprentice on loop, with my nuts attached to a car battery, at least today
    so again I say relax educate yourself and be kind to others
    -Louie

  10. #40
    Join Date
    Nov 2011
    Location
    At Lunch
    Posts
    9,314
    Mentioned
    732 Post(s)
    Quote Originally Posted by louie_cypher View Post
    could also be a plant by trump to demonize the cia before they release all the info they have on him.

    bingo.

  11. #41
    Join Date
    Dec 2011
    Location
    san fransisco
    Posts
    858
    Mentioned
    30 Post(s)
    Quote Originally Posted by DigitalChaos View Post
    oh, @allegro ... i forgot to mention something. You said that iphones cant have a USB device plugged in. Actually, they totally can with an adapter like this. I use it all the time to connect random shit to my iphone. You also have all those public charging stations in hotels, airports, etc. Never ever use that shit! If you absolutely have to, use a "USB Condom" to cut the data lines and only allow power charging. Better to bring your own charger that plugs into AC. Or use a USB battery pack as the middleman between your phone and the dirty dirty public charge cables/ports.
    the also this little guy https://www.wifipineapple.com/pages/nano
    -louie

  12. #42
    Join Date
    Nov 2011
    Location
    At Lunch
    Posts
    9,314
    Mentioned
    732 Post(s)
    Quote Originally Posted by Louie_Cypher View Post
    the also this little guy https://www.wifipineapple.com/pages/nano
    -louie
    Whoa, that thing is COOL!!

  13. #43
    Join Date
    Dec 2011
    Location
    san fransisco
    Posts
    858
    Mentioned
    30 Post(s)
    Quote Originally Posted by allegro View Post
    Whoa, that thing is COOL!!
    they even now have an android app so super easy set-up
    -louie

Posting Permissions