Archive

Posts Tagged ‘Technology’

ThruGlassXfr starts to make an impact

October 2nd, 2014 Comments off
Reading Time: 2 minutes

logoIt is awesome to see that Ian Latter’s work on bypassing all security measures to exfiltrate data via the screen is starting to be received by the InfoSec community. Today an article written by Richard Stiennon on Ian’s presentation at COSAC has been syndicated through to Forbes. Well done Ian!! this follows up on a post I did in July when I was allowed to start talking about TGXf.

As part of Ian’s presentation preparation (and in response to a number of CFP reviewers NOT READING HIS SUBMISSIONS) he also prepared a number of videos demonstrating the capability of ThruGlassXfr along with his ThruKeyboardXfr.

ThruGlassXfer Open Letter (PDF) – TGXf VER8 FPS5 GD
http://youtu.be/IXlYDYjqFLU

Android smart-phone in flight mode, downloading a PDF from Youtube via a Laptop screen
http://youtu.be/2_8GlFdlb0Y

TGXf Demo – Open Letter PDF, ANSI (Terminal) Version 1 at 8 FPS
http://youtu.be/ZrMN54Rooec
(i.e. you don’t need graphical access to steal data)

TKXf Demo – Keyboard upload of virus to hardened Windows platform
http://youtu.be/2Szza7dQZsY
(i.e. I can type a virus into Windows .. stop me)

TKXf Demo – Keyboard upload of payload via Windows to Linux
http://youtu.be/QmROf-Tx92E
(i.e. I can type any payload into anything via anything .. stop me)

TCXf Demo – Attacker exfiltration from Linux via socket over PuTTY/XPe/HP Thin Client
http://youtu.be/sMHx5VDpFjQ
(i.e. I can route anything via anything over screen and keyboard)

And my personal favourite!!!!!
TCXf Demo – IP networking over Screen and Keyboard!
http://youtu.be/PdjhevoBKbs

Yes that last one is a functional network over TGXf and TKXf…

As a Security Enthusiast I love seeing this, though I have to say as a Security Technology Vendor and IT Outsourcing and Management Supplier it causes me pause. Now I finally have that enthusiasm back to write that paper on the risks of BYOD.

 

Thoughtlet: My thoughts on 3D printing

July 16th, 2014 2 comments
Reading Time: 8 minutes

medium_9135194264I started writing this post a few week back and stumbled onto it today – It was off the back of me reading this article on Denzeen by Alexendria Lange. It is an individual perspective on 3D printing, it’s failings and how it could learn from the sewing revival. This article was in direct response to Seth Stephen’s article on Slate.com. Below is my rambling thoughts on their perspectives.

TLDR:

Experience limitations can and do skew perspectives, more often than not towards the negative. Look at the wider picture and see the possibility.

 

Look to the future, and like the sewing pattern sellers you will see more like Thingiverse, offering a marketplace (marketspace) for the sale of 3D patterns. The sewing revival, enabled by the internet, teaches how to make your own patterns, or download pre-created patterns for you to sew. 3D, too, offers this (Thingiverse, other?). The difference is in the maturity of the technology. Give it time.

Now for the longer version:

Whilst the parallels are useful, keep in mind that they are different technologies with different applications.

 

Article points to the fact that current home 3D printing is not at a level sufficient for mass use. I argue that, in it’s current form, it will never be. What it is today is the very beginning of what is to come. The pre-cursor to something amazing. We are already seeing what is coming (Food printing, medical printing, manufacturing). I’m sure that the early automatic sewing machines were horrible and produced sub-par results too (Just look to the shitty hand-held or initial cheap machines available; and even what is now available in discount stores). Not all things are created equal.

Read more…

ThruGlassXFER – exfiltration via QRCode

June 10th, 2014 Comments off
Reading Time: 1

This week Ian Latter, under his MidnightCode moniker, started to release information on his proof of concept for the exfiltration of information using QR Codes called ThruGlassXFER. This is ahead of his presentation at COSAC in Ireland and time at BlackHat later this year.

The full ThruGlassXFER White-Paper and proof of concept apps are coming. I was privileged enough to see this project as it emerged including the functioning proof-of-concept. The White-Paper will walk people from first principles through to sample code. There are also some inventive ways to get the base code onto secure systems.

This can put to bed the argument that a system that delivers a remote display, mouse and keyboard, only, are secure and that information cannot be easily exfiltrated. Yes, I understand that this is an oversimplification of the potential issue. Looking forward to how this is received and what people do with it.

My hat goes off to Ian!

Categories: exploits, Security Tags: ,

ITO Maturity?

February 24th, 2014 2 comments
Reading Time: 8 minutes

iStock_000016868699SmallI was recently told that Information Technology Outsourcing (ITO) and integration of multi-service providers is still an emerging market. In my role, everyday I deal with looking at outsourcing of customer IT environments; the opportunities; the value I, as a service provider, can bring; and the risk for both sides. I’d like to point out that I’ve been involved in ITO in some fashion for almost 20 years. It certainly isn’t new, or emerging. What it is is a changing one.

 

With the years gone by it was easier to either single source (procure through one provider) or completely manage all your IT service needs due to the relatively small, non strategic, investment in IT; that and businesses and IT managers alike could wrap their collective heads around the problem. As the complexity of IT grew so did the strategic investment to deliver business outcomes, this forced businesses to look to multiple parties for the delivery of services in order to take advantage of the leading edge IT capabilities: Multiple suppliers, internal teams ora mixture of both were used in this delivery. This forced a new managed service and system integrator (MSI) function to emerge, stitching together the various IT services in order to deliver a cohesive end-to-end service to business.

 

With the recent normalisation of Everything as a Service and the push for “good enough” service provision, businesses are caught in the mix of pushing to adopt these cost saving services and yet continue to receive value from the IT services that they procure. This push, coupled with the shadow IT adoption of cloud based services, has moved IT departments back into the business of service and system integration. This is what my colleagues and I call micro-sourcing; ad hoc procurement of services.

 

To follow up on the conversation I had previously stumbled on this article by Stephanie Overby at CIO magazine. In it she highlights eight tips to deal with liability when outsourcing to multiple IT vendors. I saw it as a great example of how ITO is viewed by the market and those that make the decisions. This is a very valid, risk centric, view of ITO. Given my conversation and Stephanie’s article I wanted to pull them together to show that what some of the tips, and thus preconceptions, do is to reinforce the MBA-esque risk adverse nature of the approach to ITO and limit the benefits that it can provide.

Read more…

WhatsApp: an Incomplete thought

February 22nd, 2014 2 comments
Reading Time: 3 minutes

WhatsAppSilicon Valley’s latest acquisition has the twitter sphere in a tizz. For those living under a rock, Facebook acquired messaging company WhatsApp for $19B dollars

 

What I like about the whole situation is that WhatsApp exploited a perceived gap in market. Sure there are messaging apps that work across multiple platforms, but their focus is all about the social platform. WhatsApp’s was more simplistic, universal messaging across platforms. Given the platform and style of service, users feel far less threatened and take up in various geographies show this.

 

They are also a “cloud service platform” that allows them to mine the information on relationships and interconnectivity that a lot of players in the social service space would kill for. The fact that Google offered USD$10B previously is a clear sign of their value. This can be attributed to a lot of things, least of which is their growth rate and repeat customer rate.

 

Whilst this might highlight some some trends in market, like the purchase of startups focused on social services, it is a blinkered view of the market as a whole. These MEGA players (Google, Twitter, Facebook, etc) have a weird and wonderful product and marketing model that most of the world is still trying to get their heads around. Like most marketing machines, new product are critical to the survival of a company (be it new to market, improvements or repositioning). WhatsApp shows a link between Google and Facebook’s understanding of their customers (BTW that’s not you) and what they want, but most importantly, what it is worth.

 

Apart from the incredulity that is coming out by the average Joe, there are severalitems and articles out there that attempt to show why the $19B.

 

The best article I read was from Danny Crichton (@DannyCrichton)  who points out that the growing trend in social application business acquisition is going to change the nature of business, certainly in Silicon Valley. I’m leaning toward agreeing with most of his observations though I’m wiling to bet that some of the other cities around the world will get a look in as the Valley is rapidly becoming expensive!