IBM's ridiculously named X-Force Red have documented a new attack vector they've dubbed "Warshipping": they mailed a sub-$100 custom, wifi-enabled low-power PC with a cellular radio to their target's offices.
The device scans for visible wifi networks; once it senses a network associated with its target (indicating that it has arrived on the target company's premises), it alerts its controllers over the cellular radio, and then scans the local wifi for instance in which users' devices are initiating new connections to the network. It captures the handshake data from these connections, transmits them over the cellular network to its controllers, and they can then crack the password offline, send login credentials to the warshipping device, login to the target network, and attack the network from within.
“Warshipping has all the characteristics to become a stealthy, effective insider threat — it’s cheap, disposable, and slides right under a targets’ nose — all while the attacker can be orchestrating their attack from the other side of the country,” said Henderson. “With the volume of packages that flow through a mailroom daily — whether it be supplies, gifts or employees’ personal purchases — and in certain seasons those numbers soar dramatically, no one ever thinks to second guess what a package is doing here.”
The team isn’t releasing proof-of-concept code as to not help attackers, but uses the technique as part of its customer penetration testing services — which help companies discover weak spots in their security posture.
With warshipping, hackers ship their exploits directly to their target’s mail room [Zack Whittaker/Tech Crunch]
(via Super Punch)
Last week at Defcon, a security researcher named Smea presented their findings on vulnerabilities in the Lovesense Hush, an internet-of-things buttplug that has already been shown to have critical privacy vulnerabilities.
Few states have voting machines that are simultaneously more obviously defective and more ardently defended by the state government than Georgia, where 16-year-old touchscreen systems are prone to reporting ballots cast by 243% of the eligible voters and where gross irregularities in election administration sends voters to the wrong polling places or sends co-habitating husbands […]
Apple's Faceid -- a facial recognition tool that unlocks mobile devices -- has a countermeasure that is designed to prevent attackers from scanning an sleeping/unconscious (or dead) person's face to unlock their phone, by scanning the face for signs of consciousness.
The field of data analytics is growing as fast as the internet itself. Self-driving cars, airline pricing, and huge marketing campaigns are all driven by the insights that data scientists can distill out of vast sums of information. Even with the help of powerful software like Python, it’s a highly skilled position. But those skills […]
If you’re marketing on the web, your Google-fu needs to be strong – and up to date. Without a firm grasp on what drives traffic, you’ll never be able to take the wheel. That’s why even if you know where to put your keywords, a little extra effort goes a long way on any marketer’s […]
Want to keep the dentist away? A little tooth care at morning and night isn’t bad, but it won’t keep the stains from smoking or fried foods at bay for long. If you enjoy your food and want to avoid the consequences, an upgrade from that old analog toothbrush can make a huge difference. Among […]