-
Wade Mackey commented on the post, 5,300 Wells Fargo employees fired over 2 million phony accounts, on the site 8 years, 1 month ago
I won’t comment much on this since I work in the financial industry, but I will suggest you look up Enron. I have a friend who was an Enron energy trader and from what he has said and what I’m reading now there appear to be some similarities.
Wade
-
Wade Mackey commented on the post, Weekly Question #7: Complete by March 27, 2017, on the site 8 years, 1 month ago
If I used the word “secure” I was incorrect. The CRC check only verifies that the packet received was the packet sent. No determination can be made as to whether or not someone made a copy.
Wade
-
Wade Mackey posted a new activity comment 8 years, 1 month ago
I have to second the comment about the FBI. I’ve been in the room when the agent essentially says something like “Don’t quote me, but I’d pay it”.
Wade
-
Wade Mackey posted a new activity comment 8 years, 1 month ago
An important point to get from the article is that locking the PC or Mac is no guarantee of protection. The tool steals credentials even from a screen locked machine. Even better, there is no need to “Decrypt” anything. what the USB stick gets is what the network is expecting. No need to understand it, just use it. If interested, just look up…[Read more]
-
Wade Mackey commented on the post, Weekly Question #7: Complete by March 27, 2017, on the site 8 years, 1 month ago
We’ll cover more on tis later, but port 443 and an SSL cert is no guarantee of security. The devil is in the detail configuration.
Wade
-
Wade Mackey commented on the post, Article: “Crimeware-as-a-Service Hack Turns Potential Hackers into Victims.", on the site 8 years, 1 month ago
As you will hear from me as we progress through the course, this is often the case. Anonymous is good example, they generally do not actually attack anyone. They talk it up and get unsuspecting dupes to launch attacks. The dupes then get busted.
Wade
-
Wade Mackey commented on the post, Weekly Question #7: Complete by March 27, 2017, on the site 8 years, 1 month ago
Maybe it’s just me, but asking the government to provide guidance to private industry on cyber security is suspect at best. Government systems are some of the least well maintained systems in the country. They are far behind industry on patching and hardening, and there testers often have there hands tied as they are required to use government…[Read more]
-
Wade Mackey commented on the post, Data Manipulation: An Imminent Threat, on the site 8 years, 1 month ago
The Pakistan Swift Hack is a good example of this. All it takes is one weak link. So, yes, I would be concerned about some of the smaller institutions.
Wade
-
Wade Mackey commented on the post, Owners of attack for hire website arrested, on the site 8 years, 1 month ago
I find it interesting that they gave them selves away through Facebook. Reminds me of the story from a few years ago about the drug smuggler who came to the attention of authorities when he posted pictures of his money counting machines,
Wade
-
Wade Mackey commented on the post, Weekly Question #7: Complete by March 27, 2017, on the site 8 years, 1 month ago
There is also a less dramatic software version developed as a response to the “Mouse Jiggler”. It detects USB activation and can wipe drives, shout down machines, or any other action the user wishes. Mouse Jigglers are USB devices that mimic slight mouse movement to prevent the activation of screen savers.
Wade
-
Wade Mackey commented on the post, Weekly Question #7: Complete by March 27, 2017, on the site 8 years, 1 month ago
This is just the tip of the Ice berg so to speak. As IoT (Internet of Things) expands we are likely to see this story repeated often, Many IoT devices sit on the internet and have severe vulnerabilities. We are already seeing them leveraged for DDoS attacks.
Wade
-
Wade Mackey wrote a new post on the site ITACS 5211: Introduction to Ethical Hacking 8 years, 1 month ago
First let me say that I have no right or wrong answer for this, just want to see each of you weigh in.
In light of the news around an Israeli company developing malware to facilitate the UAE snooping on human […]
-
Wade Mackey wrote a new post on the site ITACS 5211: Introduction to Ethical Hacking 8 years, 1 month ago
Here is the presentation for Week 2
intro-to-ethical-hacking-week-2
Also, and email has been sent to each participant with a link to the Video.
-
Wade Mackey commented on the post, How Machine Learning is Making for Better IT Security, on the site 8 years, 1 month ago
Just my opinion, but machine learning isn’t likely to replace the need for human analysts any time soon. From what I have experienced, the more automation you throw at the problem, the more things you find to investigate. End result is you need more staff. Additionally, the staff is hard to keep. Good people have lots of external opportunities…[Read more]
-
Wade Mackey commented on the post, The New Security Mindset: Embrace Analytics To Mitigate Risk, on the site 8 years, 1 month ago
Agree with the article, but this can be a hard sell to security minded operations. How much access do you grant to the data store? What data do you scrub? Each step that limits risk, also limits effectiveness.
-
Wade Mackey commented on the post, Hacker takes down CEO wire transfer scammers, on the site 8 years, 1 month ago
One thing to keep in mind is that the attackers a frequently not in the country of the victim. So even if you catch them, can be difficult to prosecute. Last year it was Israeli criminals attacking frecnh companies. For some reason the Israelis seemed to be particularly effective against the French.
-
Wade Mackey commented on the post, Progress Report for Week Ending, March 22, on the site 8 years, 1 month ago
I’ll clarify. I do not run AV on the virtual machines I use. I do have AV on the base machine that runs Workstation, but that is mostly because it was free (comes with being a Comcast customer). My professional experience is that it is not that effective, and gets in the way of doing security research. AV will flag many of the tools we will…[Read more]
-
Wade Mackey commented on the post, Progress Report for Week Ending, March 22, on the site 8 years, 1 month ago
I saw the Jeep presentation at BlackHat. It was pretty impressive. The one thing the presenter did stress is that the manufacturers are starting to listen and lock down some of the vulnerabilities identified. In particular, the remote access vulnerabilities. On the down side, each manufacturer is running proprietary systems making it difficult…[Read more]
-
Wade Mackey commented on the post, Progress Report for Week Ending, March 22, on the site 8 years, 1 month ago
I was at BlackHat and DefCon this year. These topics were covered, but there was so much more. The most impactful presentation I saw was around the emotional stress experienced by the very people we charge with protecting us. One example provided was around police having to deal with child pornography. The presenter indicated burnout was very…[Read more]
-
Wade Mackey commented on the post, Progress Report for Week Ending, March 22, on the site 8 years, 1 month ago
From what I’ve heard, the Astro’s security processes were ineffective. They reset the password, but did not count on the fact that the attacker had access to victims email, so he got the new password. We don’t cover much about incident response in this course, but one take away is to keep digging once you see a compromise. It is pretty rare…[Read more]
- Load More
I feel that the NSO Group is crossing the line from an ethical standpoint. I personally don’t believe that the Pegasus software that they created and attempted to use for the UAE aligns to NSO Group’s mission is “to make the world a safer place by providing authorized governments with technology that helps them combat terror and crime.” To me they are enabling the Emirates to violate the fundamental human right of privacy. If I ran this security company, our values would be built on integrity. The products and services we offered would be designed to protect private and confidential data, not expose it.
The NSO Group claims its “mission is to make the world a safer place by providing authorized governments with technology that helps them combat terror and crime.” I believe this is not entirely true, and the company was offered enough money by the UAE to assist with monitoring human-rights activists and report information back to the government. It is reported that the NSO had a $10-$15 million contract with the UAE. Was that enough money to make NSO abandon its company mission? Most likely. I think for the right price, and the right situation, where the company puts no one in their native country in harm, its software can be bought and used on almost anyone in the world.
Honestly, I wouldn’t be very comfortable at all selling this malware. Any government in the world can buy this malware and make a case that they are doing it for the “safety” of the public or to counter the terrorists. However, the reality is they will use this malware to further whatever agenda they have. If there is a strong enough case to try and get this malware on someone’s phone who you think will be an accomplice to a terror attack, go arrest them or something. Giving this type of weapon out will open Pandora’s box and allow even more of these types of tools created and sold, which would probably end up getting in the hands of terrorists, which this malware was apparently created to spy on.
I think most organizations find themselves in a similar struggle where they have a core mission or objective to make something good while maintaining good intentions they end up with an internal struggle where the engineers/developers have goals to achieve success by designing or developing something to be used for “good” while on the other hand the people that run the company and are supposed to bring in business are incentivized by money or sometimes other factors. I imagine the developers of this firm only meant for this to be used for the right reasons, but when an opportunity to make a lot of money came up it was much harder for leadership to turn it down. It is also possible that in some cases like this the true intentions of the use are not fully disclosed or known.
That’s a great question. The PC answer is that no one ever wants to violate human rights or someone’s personal freedoms. In this case, the UAE used this technology to spy on a human rights activist. let me ask another question, what if this company came to the United States Government and said to them, we have a program that can give you access to MR. X, the world’s most dangerous terrorist? Let’s assume Mr. X is the mastermind behind a terrorist organization that has killed thousands of people around the world. With this phone hack, you’ll be able to locate him and capture him. Does that change anything?
We all want black and white answers, but they don’t exist. Not only is there grey areas, but there are many different shades of black and white answers too.
Personally, for me, it’s a dangerous slope. And maybe this ties back to another post on here about the US courts ruling on the FBI using hacking software. The courts will decide if there is evidence for this type of “search”.
Good point Scott. In the case of Mr. X, I probably would be supportive of law enforcement or our government using this phone hack with the appropriate warrant. I still don’ t think I would be supportive of my own security company developing this because of the vulnerability threatens the privacy of all users of that phone model.. You really raised how much of a grey area this is with your illustration.
This is a tough question to answer because as a head of the NSO group you could potentially see that a malware to monitor a person’s phone could do some good. However, if it landed in the wrong hands it could effect millions of people across the world. This ultimately goes to show that even though Apple devices are deemed relatively safe. This is similar to the issue that arose earlier in the year with the case versus Apple and the FBI when they were demanding a “back door” to their devices. Tim Cook said that a “back door” is the equivalent to “cancer for the iPhone” meaning that if a hacker were to obtain this “back door” he could essentially get into every iPhone in the world. Selling a malware for a price could eventually lead to someone obtaining this unbeknownst to the NSO group’s knowledge.
I’m not comfortable with this malware. I think that creating software like this opens Pandora’s box as to the use and misuse of such software. Once one reason for intruding people’s privacy so brashly is justified, people will push for another reason why the malware should be acceptable. People already have enough to worry about with the NSA, we don’t need software companies developing malware on top of that. Thankfully, companies such as Apple have taken a firm stance on user safety and confidentiality. Hopefully, companies like these will make efforts to patch vulnerabilities and maximize the privacy of their users.
NSO Group which created the malware crossed the ethical line because they sold the malware to anyone who is willing to pay. For this kind of IT Security companies, there should be a regulation or law sets up for who and where and why they can sell malwares. As people are always saying, if power goes to wrong place, it will be tragedies. In addition, for Ahmed Mansoor, the Emirati government violated his confidentiality and rights. They imprisoned him in another form. It is hard to find solid evidences to prove that the Emirati government hired NSO Group to attack Mansoor. However, it was the third time that he was targeted by malware written by a private intelligence firm. He should have done something to protect his privacy like implement apps that help him to detect malware, don’t click in any links that is risky and etc.
I think Pegasus goes too far from ethical hacking. Even though Pegasus states that all their products are used for making the world a safer place by preventing and investigating crime, what it actually did violated the privacy of Mansoor. I think if Pegasus provides services to countries for only surveilling terrorists, such as Osama bin Laden, it will be fine. I would believe that the original intention of Pegasus is to prevent and investigate crime like it stated, but Pegasus and its technologies would be used for inappropriate persons, such as dissidents who are not potential terrorists, Mansoor in this case. To Pegasus, it may be hard to determine whether the person they required to surveil is a potential terrorists or not, because it may relate to a country’s confidential information. Therefore, it is hard to judge whether Pegasus is doing the right thing because it highly depends on the countries hired it. In this case, UAE crossed the line of doing right things for a safer world.
The manner that Pegasus was used in this case is wrong and unethical. I think these situations are difficult to judge and cause so much controversy because you never know what a company like NSO intentions really are. Tools like this can be very powerful in stopping terrorism around the world but it sends a completely different message when you are receiving billions of dollars from a government that wants to use this exploit on journalists and activists. My challenge of running an IT security company like this would be determining who the “good guys” really are and the responsible use of this knowledge and research. I personally would want to work with governments that shared my same views against terrorism and wanted to use these tools to prevent it. I would also want to work with Apple and other companies to help prevent this from happening to innocent users even if that compromises the exploit.