Virgin Airlines Australia moved firefighter from seat next to boys because men can't be seated next to unaccompanied children

An Australian firefighter named Johnny McGirr was told to move seats on his Virgin Airlines because he'd been seated next to two unaccompanied boys. The airline's policy is reportedly that men may not be seated next to children traveling without adults, though women may be. McGirr believed the policy presumes that all men are presumed paedophiles, and wrote about it in a blog post called My Virgin experience as a Paedophile!, in which he publishes the Virgin policy provided to him by a company rep: "Unaccompanied children will have spare seats allocated next to them when they are flying. In the case of a full plane then a female will be sat next to the children."

Here's his account of how it happened:

The fasten seat belt sign was illuminated and we were clear for takeoff. Then the stewardess approached me again.

‘Sir we are going have to ask you to move’

‘Why’, I said.

‘Well, because you are male, you can’t be seated next to two unaccompanied minors’.

Shocked, I replied, ‘ Isn’t this sexist and discriminatory?’

She replied, ‘I am sorry, but that is our policy’.

I just hate this stuff. I've gotten the weird looks when I take my daughter to the playground, and I've found myself having minor anxiety when her friends fall down and need help or a hug. In situations where children and adults mix, men are often presumptive suspects (this goes double for any place where the Murdoch press has spent 20 years publishing innumerate stranger-danger scare stories that ignore the reality that most child abusers attack their own children or the children in their care). Read the rest

Apple suspends over-the-phone password resets

Following the incredible social engineering hack suffered by Wired's Mat Honan over the weekend, Apple's shut down the exploit by "ordering support staff to immediately stop processing AppleID password changes requested over the phone." Read the rest

HOWTO open an electronic hotel-room lock without a key

Cody Brocious -- a Mozilla dev and security researcher -- presented a paper on a vulnerability in hotel-door locks last month at Black Hat. Many electronic hotel door-locks made by Onity have a small DC power-port that also supplies data beneath them. Brocious showed that if he plugs an Arduino into these locks, reads out the 24-bit number sitting there, and re-transmits it to them, some appreciable fraction of them (but not all of them) spring open.

Testing a standard Onity lock he ordered online, he’s able to easily bypass the card reader and trigger the opening mechanism every time. But on three Onity locks installed on real hotel doors he and I tested at well-known independent and franchise hotels in New York, results were much more mixed: Only one of the three opened, and even that one only worked on the second try, with Brocious taking a break to tweak his software between tests.

Even with an unreliable method, however, Brocious’s work–and his ability to open one out of the three doors we tested without a key–suggests real flaws in Onity’s security architecture. And Brocious says he plans to release all his research in a paper as well as source code through his website following his talk, potentially enabling others to perfect his methods.

Brocious’s exploit works by spoofing a portable programming device that hotel staff use to control a facility’s locks and set which master keys open which doors. The portable programmer, which plugs into the DC port under the locks, can also open any door, even providing power through that port to trigger the mechanism of a door lock in which the battery has run out.

Read the rest

Dropbox: "We wuz hacked"

A couple weeks ago, a few hundred Dropbox users noticed they were receiving loads of spam about online casinos and gambling websites, at email addresses those users had set up only for Dropbox-related actions. The online file storage service now admits that hackers snagged usernames and passwords from third party sites, and used this data to break into those Dropbox users' accounts. Dara Kerr, reporting for CNET:

"Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts," the company wrote in a blog post today. "A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam."

Over at Ars Technica, Jon Brodkin has more. Evidently, the illicit access happened because a Dropbox employee’s account was hacked.

Read the rest

Call your Senator today and stop the Cyber Security Act of 2012: it legalizes spying on your email, chats, photos, social behavior, and location for any purpose

Tiffiny from champion SOPA-fighters Fight for the Future says:

This year, grassroots movements defeated SOPA in the US and ACTA in Europe. We might be able to make another bad-idea bill, CISPA, go down in flames too (or get the privacy protections we've been fighting for). CISPA-- which already passed the House -- would give government access to all your personal data with no restrictions on what they could do with it. The Senate version of CISPA, which is slightly better but could be made much, much worse is going to final vote today.

If you have a secret --

Or think it's creepy that the government listens in on your cell phone calls, knows your location right now, reads your emails, all without a warrant? A bill going to vote today in Congress would make all of this government spying legal.

Millions of us aren't aware of this bill or don't realize how far they go.

That's why we're sharing this link:

We took some time to try to capture exactly what's so dangerous and disturbing about having secrets at all.

This year, grassroots movements defeated SOPA in the US and ACTA in Europe. We might be able to make another bad-idea bill go down in flames too (or get the privacy protections we've been fighting for).

This could be the year for internet freedom and the open internet to prevail above huge amounts of lobbying dollars. And racking up wins on SOPA, CISPA, ACTA -- that'd be unprecedented.

Read the rest

What can we learn from the Colorado shooting?

Bruce Schneier asks what lessons we can learn from the shooting in a Colorado movie theater, and answers the question with admirable good sense:

The rarity of events such as the Aurora massacre doesn't mean we should ignore any lessons it might teach us. Because people overreact to rare events, they're useful catalysts for social introspection and policy change. The key here is to focus not on the details of the particular event but on the broader issues common to all similar events.

Installing metal detectors at movie theaters doesn't make sense -- there's no reason to think the next crazy gunman will choose a movie theater as his venue, and how effectively would a metal detector deter a lone gunman anyway? -- but understanding the reasons why the United States has so many gun deaths compared with other countries does. The particular motivations of alleged killer James Holmes aren't relevant -- the next gunman will have different motivations -- but the general state of mental health care in the United States is.

Even with this, the most important lesson of the Aurora massacre is how rare these events actually are. Our brains are primed to believe that movie theaters are more dangerous than they used to be, but they're not. The riskiest part of the evening is still the car ride to and from the movie theater, and even that's very safe.

Drawing the wrong lessons from horrific events (via Interesting People) Read the rest

Notes from DEFCON and DEFCON Kids

I've been posting lightly around here for the past week, as I've been at DEFCON, where I gave a speech. I brought my whole family -- wife, daughter, and parents -- and the kid got to do some lockpicking workshops at DEFCON Kids, the astoundingly bad-ass kids' computer literacy program run alongside the main event. I was run off my feet (in a very good way) at the event and haven't yet gotten enough of a handle on it to write something coherent, but my wife Alice has a good writeup of our experience there, with special emphasis on the DEFCON Kids axis-of-awesome (my wife was Education Commissioner for Channel 4 for some years before quitting to do a startup and has seen every educational tech approach under the sun, DEFCON Kids blew her away) and, separately, Katy Levinson's stupendous, semi-drunken, vodka-fueled, obscenity filled virtuoso engineering talk on the practical difficulties of building and operating robots.

Update: Katy Levinson adds in the comments, "Also, if you have a moment, please help us save Hacker Dojo, a wonderful hackerspace and the first home of Pinterest. Hacker Dojo is currently in danger of being shut down by the city." Read the rest

Ubisoft's DRM leaves your computer wide open to browser-based system hijacking

Yesterday, noted security researcher (and Google employee) Tavis Ormandy published his discovery that Ubisoft's UPlay DRM installs a browser plugin that leaves your computer terribly vulnerable to drive-by attacks over the Internet. The plugin is meant to allow Ubisoft to start games on your computer over the Internet, but it lacks an effective authentication mechanism. This means that an attacker could check your browser to see if you have Ubisoft's DRM installed, and if it finds it, cause the plugin to run malicious software that hijacks your computer.

An early report on Hacker News characterized this as a "rootkit," which triggered a long (and tedious) debate about the formal definition of rootkits and whether Ubisoft's system qualified. To me, this seems rather beside the point, which is that Ubisoft's overall installation process involves a high degree of secrecy and obfuscation, because none of Ubisoft's users want DRM (some may not mind it, but it's a rare gamer who says, "Please install software on my computer that watches what I do and orders my computer to prevent me from doing things that displease a distant corporation"). As a result, security vulnerabilities that arise from sloppiness (or malice) are more difficult to discover and to put right.

PC Gamer got a rare and terse quote from Ubisoft on the issue, in which the company says it is "looking into" the issue, later updated with the statement that a "forced patch" has been issued to fix the issue (though this claim hasn't been independently verified by any source I can find). Read the rest

Tor project considers covering costs for exit nodes

The maintainers of the Tor Project -- which provides more anonymous and private Internet use by bouncing traffic around many volunteers' computers -- is considering paying $100/month to people who maintain high-speed "exit nodes." "Exit nodes" are the last hop in the Tor chain, and they sometimes attract legal threats and police attention, which makes some people reluctant to run them. As a result, there aren't enough exit nodes to provide really robust anonymity for Tor users. Tor hopes that by covering costs for organizations and individuals who are willing to provide exit nodes, they'll get more diversity in the population of exits. Darren Pauli has more in SC magazine:

"We've lined up our first funder BBG, and they're excited to have us start as soon as we can," Dingledine wrote on the Tor mailing list.

The backflip came about because exit node diversity was low: most Tor users choose one of just five of the fastest exit relays about a third of the time, from a pool of about 50 relays.

"Since extra capacity is clearly good for performance, and since we're not doing particularly well at diversity with the current approach, we're going to try [the] experiment," he said.

Tor Project mulls $100 cheque for exit relay hosts

(Image: Counterfeit $100 Bill, a Creative Commons Attribution (2.0) image from travisgoodspeed's photostream) Read the rest

ATM skimmers that fit in the card-slot

Police in an unidentified European nation have retrieved wafer-thin ATM skimmers that are so small that they can be fitted inside the credit-card insertion slot. Brian Krebs describes the finding:

That’s according to two recent reports from the European ATM Security Team (EAST), an organization that collects ATM fraud reports from countries in the region. In both reports, EAST said one country (it isn’t naming which) alerted them about a new form of skimming device that is thin enough to be inserted directly into the card reader slot. These devices record the data stored on the magnetic stripe on the back of the card as it is slid into a compromised ATM.

Another EAST report released this week indicates that these insert skimmers are continuing to evolve. Below are two more such devices. Insert skimmers require some secondary component to record customers entering their PINs, such as a PIN pad overlay or hidden camera.

ATM Skimmers Get Wafer Thin Read the rest

Byzantium, a bootable Linux with "Ad-hoc wireless mesh networking for the zombie apocalypse"

The Doctor [412/724/301/703] [ZS] sez, "Project Byzantium is a working group of the HacDC hackerspace, and is a live distribution of Linux for easily and rapidly deploying ad-hoc wireless mesh networks for the purpose of emergency communications. They presented last weekend in New York City at HOPE Number Nine and announced their second major release (v0.2a) on stage. They also gave away 500 copies on CD-ROM at the conference. They held workshops all weekend on how to use and test Byzantium Linux, and now they've released the .iso image of this release to the Internet. (Thanks, The Doctor [412/724/301/703]!) Read the rest

3D printed keys open "high security" handcuffs

A hacker at HOPE presented a pair of 3D printed "high security" handcuff keys that unlocked cuffs whose designs are supposed to be secret and not widely available. They will shortly be on Thingiverse for you to download. Forbes's Andy Greenberg reports:

In a workshop Friday at the Hackers On Planet Earth conference in New York, a German hacker and security consultant who goes by the name “Ray” demonstrated a looming problem for handcuff makers hoping to restrict the distribution of the keys that open their cuffs: With plastic copies he cheaply produced with a laser-cutter and a 3D printer, he was able to open handcuffs built by the German firm Bonowi and the English manufacturer Chubb, both of which attempt to control the distribution of their keys to keep them exclusively in the hands of authorized buyers such as law enforcement.

The demonstration highlights a unique problem for handcuff makers, who design their cuffs to be opened by standard keys possessed by every police officer in a department, so that a suspect can be locked up by one officer and released by another, says Ray. Unlike other locks with unique keys, any copy of a standard key will open a certain manufacturer’s cuff. “Police need to know that every new handcuff they buy has a key that can be reproduced,” he says. “Until every handcuff has a different key, they can be copied.”

Unlike keys for more common handcuffs, which can be purchased (even in forms specifically designed to be concealable) from practically any survivalist or police surplus store, Bonowi’s and Chubb’s keys can’t be acquired from commercial vendors.

Read the rest

Commercial spamflooding used by crooks to tie up their victims at key moments

Security expert Brian Krebs was the target of a malicious email flood, and writes firsthand about the experience. These floods -- which can be directed at any and all of your phone (voice or SMS) and email -- are used by crooks who want to busy-out all their victims' communications channels while they are ripping them off electronically. This kind of flooding is available as a (surprisingly cheap) commercial service.

Used mostly in private for myself and now offered to the respected public.

Spam using bots, having decent SMTP accounts.

Doing email floods using bots. Complete randomization of the letter, so the user could not block the flood by the signatures.

Flooder is capable of the following functionality:

Huge wave of emails is being instantly sent to the victim. (depending on the server load and amount of emails to be flooded)

Delivery rate of 60-65% — depending on the SMTP servers.

Limit for flooding single email account on this server is 100,000 emails.

Plan – Children – 25,000 emails — $25 Plan – Medium – 50,000 emails — $40 Plan – Hard – 75,000 emails — $55 Plan – Monster – 100,000 emails — $70

Cyberheist Smokescreen: Email, Phone, SMS Floods Read the rest

Crummy passwords from Yahoo users

The dump of 450,000 Yahoo passwords by a group calling itself "D33ds Company" has been analyzed by Anders Nilsson (apparently these passwords were stored in the clear). Here's the topline:

Total entries = 442773 Total unique entries = 342478

Top 10 passwords 123456 = 1666 (0.38%) password = 780 (0.18%) welcome = 436 (0.1%) ninja = 333 (0.08%) abc123 = 250 (0.06%) 123456789 = 222 (0.05%) 12345678 = 208 (0.05%) sunshine = 205 (0.05%) princess = 202 (0.05%) qwerty = 172 (0.04%)

Top 10 base words password = 1373 (0.31%) welcome = 534 (0.12%) qwerty = 464 (0.1%) monkey = 430 (0.1%) jesus = 429 (0.1%) love = 421 (0.1%) money = 407 (0.09%) freedom = 385 (0.09%) ninja = 380 (0.09%) writer = 367 (0.08%)

Password length (length ordered) 1 = 117 (0.03%) 2 = 70 (0.02%) 3 = 302 (0.07%) 4 = 2748 (0.62%) 5 = 5323 (1.2%) 6 = 79610 (17.98%) 7 = 65598 (14.82%) 8 = 119125 (26.9%) 9 = 65955 (14.9%) 10 = 54756 (12.37%) 11 = 21219 (4.79%) 12 = 21728 (4.91%)

Statistics of the "450.000 leaked Yahoo accounts". (via Waxy) Read the rest

Dropped infected USB in the company parking lot as a way of getting malware onto the company network

Workers at the Dutch offices of DSM, a chemical company, report finding USB sticks in the company parking lot, which appeared to have been lost. However, when the company's IT department examined the sticks, they discovered that they were loaded with malware set to autorun in company computers, which would harvest employee login credentials. It appears that criminal dropped the keys in the hopes of tricking a employees into getting them into the company network.

Cybercriminelen doen poging tot spionage bij DSM

Cybercriminals do attempt to commit espionage at DSM (Google Translate)

(via /.) Read the rest

Car thieves root the BMW, make off like bandits

A vulnerability in BMW's keyless ignition system allows thieves to make off with them in under three minutes, possibly via the engine's diagnostic systems. BMW's acknowledged something is amiss, but hasn't done much to fix the problem.

On the car forum 1Addicts, a one-time poster by the name of "stolen1m" uploaded the above video showing how his BMW was stolen in under three minutes. He suspects the thieves used devices that plug into the car's On-Board Diagnostic (ODB) port to program a new keyfob.

In this particular video, there are a few security flaws that the hackers are exploiting simultaneously: there is no sensor that is triggered when the thieves initially break the window, the internal ultrasonic sensor system has a "blind spot" just in front of the OBD port, the OBD port is constantly powered (even when the car is off), and last but not least, it does not require a password. All of this means the thieves can gain complete access to the car without even entering it.

BMW has acknowledged that there is a problem, but is downplaying this particular issue by saying the whole industry struggles with thievery. This is unfortunate given that the evidence seems to point towards BMWs being specifically targeted. Whether that's because they are luxury cars or because they have a security loophole doesn't matter: the point is BMW needs to do something about it.

Hackers steal keyless BMW in under 3 minutes (video) (via /.) Read the rest

Furniture hates America

In 2011, Americans were more likely to die by being crushed by their own TV sets than at the hands of terrorists. (via Schneier) Read the rest

More posts