St. Louis-based security researcher Charlie Miller and his collaborator Chris Valasek got themselves in the news this week by hacking a Jeep driven by Wired journalist Andy Greenberg on I-64.
The reaction was mixed, but one common theme was, why I-64, where lives could have been at risk, rather than an abandoned parking lot?
I don’t know Miller or Valasek, so it goes without saying I don’t speak for either one of them, but I think I have a pretty good idea why they did it that way.
Continue reading Stunt Hacking: Why Charlie Miller hacked a Jeep driving on I-64
One of my college buddies (Hi Christian!) shared my previous post on Facebook, pointing out that I’m a long-suffering Royals fan in Cardinals country, and adding that what I said was balanced and dispassionate.
I’m normally anything but dispassionate. But in this case, it’s not a baseball matter–it’s a business matter, and neither my employer nor any past employer is involved, so it’s easy to be detached and dispassionate. I guess you can say my take on hacking has changed. I was going to say “evolved,” but “changed” is more dispassionate.
Continue reading Final thoughts on the Houston Astros’ database
So, about a year ago, the Houston Astros announced their internal player database had been breached. This week, more details emerged, pointing right at the St. Louis Cardinals.
It wasn’t a terribly sophisticated attack. You knew I’d write about this, but I’ll explore it from an IT security perspective more than from a baseball perspective.
Continue reading Minor-League hacking in the MLB
I wasn’t surprised people were trying to hack my blog. What surprised me were how many people were trying to hack my blog–there was a time when I probably had more hacking-related traffic than I had reader-related traffic.
If you have a WordPress blog, you’re probably in a similar situation.
Continue reading Why someone would hack a WordPress account
Every breach report contains the words “sophisticated attack.” Security pros like me see it as pure spin. Here’s why.
Continue reading “It was a sophisticated attack.”
Apparently, 86% of WordPress blogs haven’t been upgraded yet to version 4.0 or 4.01, because they are vulnerable to a terrible cross-site scripting vulnerability.
If you’re reading this, and you have a WordPress blog, go update it. This post will still be here when you’re done. Continue reading This should go without saying: Upgrade your WordPress!
A college classmate contacted me a week or two ago. A relative of hers got scammed, and she wanted to know what to do.
“Get the charges reversed on the credit card,” was my simple response.
“What about cleaning up the computer?” she asked.
That’s the easy part. Continue reading Got tech support scammed? Worry about your credit card, not your computer
FTDI is a company that makes computer chips for USB peripherals. Their chips are frequently cloned, which is an issue they have a right to deal with. But they have to be careful.
Breaking suspected cloned chips that consumers bought in good faith is the wrong answer. If I did that, it would be called hacking, and I would be sitting in jail right now, and probably would be facing a quarter-century in prison. Continue reading FTDI needs to be charged under the Computer Fraud and Abuse Act
Dan Bowman kindly pointed out to me that former Commodore engineer Bil Herd wrapped up his discussion of the ill-fated Commodore TED machines on Hackaday this week. Here in the States, few remember the TED specifically, but some people may remember that oddball Commodore Plus/4 that closeout companies sold for $79 in 1985 and 1986. The Plus/4 was one of those TED machines.
What went wrong with that machine? Commodore miscalculated what the market was doing. The TED was a solution to too many problems, and ended up not solving any of them all that well. Continue reading The curious case of the Commodore TED machines
I guess Matt Weeks is as sick as I am of tech support scammers, because he developed a way to fight back, in the form of a Metasploit module that exploits a software defect in the AMMYY remote access tool that these scammers sometimes use. Metasploit is a tool that penetration testers use to demonstrate–with permission–how hackable a computer network is. In this case, the would-be victim is penetration testing someone without permission. Run the module when the scammer connects to the would-be victim, and he or she gets a command prompt on the criminal’s PC. At that point, the would-be victim can break their computer, perhaps by deleting critical files, corrupting the Windows registry, or something else. Anything you can do from a command prompt would be possible at that point.
I’m anything but heartbroken that this threat exists, although I’m not going to do this myself. Let me explain. Continue reading A security professional fights back against tech support scammers