IBM's ridiculously named X-Force Red have documented a new attack vector they've dubbed "Warshipping": they mailed a sub-$100 custom, wifi-enabled low-power PC with a cellular radio to their target's offices.
The device scans for visible wifi networks; once it senses a network associated with its target (indicating that it has arrived on the target company's premises), it alerts its controllers over the cellular radio, and then scans the local wifi for instance in which users' devices are initiating new connections to the network. It captures the handshake data from these connections, transmits them over the cellular network to its controllers, and they can then crack the password offline, send login credentials to the warshipping device, login to the target network, and attack the network from within.
“Warshipping has all the characteristics to become a stealthy, effective insider threat — it’s cheap, disposable, and slides right under a targets’ nose — all while the attacker can be orchestrating their attack from the other side of the country,” said Henderson. “With the volume of packages that flow through a mailroom daily — whether it be supplies, gifts or employees’ personal purchases — and in certain seasons those numbers soar dramatically, no one ever thinks to second guess what a package is doing here.”
The team isn’t releasing proof-of-concept code as to not help attackers, but uses the technique as part of its customer penetration testing services — which help companies discover weak spots in their security posture.
With warshipping, hackers ship their exploits directly to their target’s mail room [Zack Whittaker/Tech Crunch]
(via Super Punch)
Evan from Fight for the Future writes, "A new investigation from Gizmodo just revealed that anyone, anywhere can get geographic coordinates of Ring devices from Amazon’s Neighbors App. Not only can someone find out where users live, they can use footage to track bystanders, locate children, and monitor people going into buildings, like clinics, for […]
Princen Alice created a “password generator” that glues random Welsh-sounding words into a craggy landscape of letters. It’s probably not very good, since it’s three or four dictionary words and a number plus the fallacious ethnocentric belief that unpronouceability to English speakers reflects randomness, but what a delightful mess!
A team of researchers from Microsoft and Harvard's Berkman Center have published a taxonomy of "Failure Modes in Machine Learning," broken down into "Intentionally-Motivated Failures" and "Unintended Failures."
With all the revolutionary tech that’s out there, it’s pretty sad that finding a simple stud in your wall can feel like dowsing for water. This can be equally true whether you’re using a magnetic finder and it’s reliance on “feel,” or an electronic unit that can give fuzzy readings (especially when the batteries are […]
Do you have any Star Wars fans on your list? Given the reach and output of its new corporate masters these days, it might be easier to ask if there’s anyone out there who isn’t a Star Wars fan. So let’s narrow it down further: Do you know a Star Wars fan who likes to […]
There’s much ado about coffee brewing methods these days, but most of us – at least on the busy weekdays – just want our morning joe to be consistent, easy, and most of all, fast. If that sounds like anyone on your Christmas list, they’re going to get a lot of mileage out of the […]