Showing posts with label #socialengineering. Show all posts
Showing posts with label #socialengineering. Show all posts

Thursday, July 20, 2023

Kevin Mitnick, Hacker Turned Security Consultant, Dies at 59

Kevin Mitnick, who became the country’s most famous cybercriminal after an FBI manhunt and later became a cybersecurity consultant, died on July 16.

Mitnick, who was 59, died of pancreatic cancer, said Kathy Wattman, a spokeswoman for KnowBe4, where Mitnick worked. Mitnick’s survivors include his wife, Kimberley, who is expecting a child this year.

“Mr. Mitnick branded himself the ‘world’s most famous hacker,’ as KnowBe4 called him in a Thursday statement. As the World Wide Web was slowly being adopted across the globe, he broke into the computer systems of companies such as Motorola, Nokia and Sun Microsystems, causing what prosecutors alleged was millions of dollars in damage,” Kelly writes.

“Before he was 30, Mr. Mitnick had already served a brief prison sentence for computer crimes. But his infamy as a hacker was cemented in 1995, when the FBI arrested him in the middle of the night at a North Carolina apartment in a highly publicized raid that capped a 24-hour stakeout outside his home and brought an end to his more than two years as a fugitive.”

Mitnick was a polarizing figure in the cybersecurity community after his release from prison in 2000. “He portrayed himself as a misunderstood ‘genius’ and pioneer, and some supporters said he was a victim of overzealous prosecution and overhyped media coverage,” Kelly writes.

“He became a cause célèbre for the internet,” former federal cybercrime prosecutor Mark Rasch, who investigated Mitnick, told Kelly. “There was this idea that he was liberating data, he was liberating information, and that he was just proving how hacking could be done,” he said. “You had a whole bunch of people in the hacker defense community who thought he was the worst thing in the world, and people in the hacker community who thought he was a demigod.” website

Thursday, October 29, 2020

Microsoft Says Iranian Hackers Targeted Conference Attendees

Microsoft says Iranian hackers have posed as conference organizers in Germany and Saudi Arabia in an attempt to break into the email accounts of “high-profile” people with spoofed invitations. 

The targets included more than 100 prominent people invited by the hackers to the Munich Security Conference, which is attended by world leaders each February, and the upcoming Think 20 Summit, which begins later this week in Saudi Arabia but is online-only this year.

“We believe Phosphorus is engaging in these attacks for intelligence collection purposes,” said Tom Burt, Microsoft’s security chief, in a prepared statement. “The attacks were successful in compromising several victims, including former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their respective countries.” more

Monday, October 12, 2020

New Malware Toolset Used for Industrial Espionage

Malware authors are using an advanced toolset for industrial espionage, warned researchers at cybersecurity firm Kaspersky.

...the tool uses “a variety of techniques to evade detection, including hosting its communications with the control server on public cloud services and hiding the main malicious module using steganography.”

...files are disguised to trick employers into downloading them. They contain names related to employees’ contact lists, technical documentation, and medical analysis results to trick employees as part of a common spear-phishing technique...

MontysThree is designed to specifically target Microsoft and Adobe Acrobat documents, Kaspersky said. The malware can enable attackers to capture screenshots and gather information about the victim’s network settings, hostname, etc. more

Tuesday, September 22, 2020

iRobot Picked the Wrong Person to Roomba With!

One of our Blue Blaze irregulars alerted us to some slick social engineering.

He recently purchased an iRobot Roomba 960 Robot Vacuum Cleaner. He writes...

"What is "odd" is that when we first bought the thing we didn't have any screens requiring registration. Then about two weeks later the entire user interface changed that required registration. 

These two screens were strategically placed among "required information" even though this information was not mandatory. If you weren't paying attention you'd fill this out. Clever!"

I had a look at their Privacy Policy. Dig deep enough and you find this...

Some of our Robots are equipped with smart technology which allows the Robots to transmit data wirelessly to the Service...

• When you register your Robot with the online App, we collect information about the Robot, such as a Robot name (how cute) and device number, and information about the Robot and/or App usage (reveals when might you not be home), such as battery life and health.

• Certain Robot models are equipped to collect information about the environment in which the Robot is deployed. For example, the Robot collects information about the level of dirt detection and the Wi-Fi signal strength in each location and information about its movement throughout the environment to create a location ‘map’ of the Robot’s domain and the existence and type of objects (chair, desk, fridge etc.) or obstacles encountered.

 

Security Issues

  1. Do you really want a map of your home and belongings sent who-knows-where?
  2. Do you really want someone to know all your router information and password which connects to one of their apps on the internal side of your firewall?
  3. What happens when their database gets hacked?

I am guessing you don't. I'm also guessing you didn't know this was going on in the Internet-of-Things.

Ah, for the good old Jetson days when robots only talked to themselves.