Friday, August 30, 2019

Potentially malicious use of QR codes and NFC chips

Like any technology,  QR codes and NFC chips can be abused and misused for selfish or criminal purposes. I was reminded of this by a recent Dark Reading article by Chris Franklin, Jr. titled "9 Things That Don't Worry You Today (But Should)."

One of the things that Chris highlighted was QR codes and when I saw this particular page it reminded me that I had written about the abuse of these codes myself (seven years ago). In fact, I not only wrote about them, I did some research on them and an adjacent technology, the NFC chip (both can be used to trigger events in an information system, and they are cheap to implement, easy to program, and also very thin). 

I made a very short video to demonstrate one potential type of abuse - tricking people into visiting a malicious website. Here is the video, with thanks to my former employer, ESET, for giving me the time and resources to make this demo:

As you can see, there is plenty of potential for hijacking or misdirecting people's interests via both QR and NFC technology, and I am indebted to my former ESET colleague, Cameron Camp, for pointing some of these out, way back in early 2012.

(Funny story: about that time, Cameron was in Hong Kong to speak at a security conference and noticed the extensive use of QR codes in public transportation vehicles. He pointed this out to a company exec who was there and said, "How about I write a blog post showing how someone could print their own codes on sticky labels and just plaster them over these legit codes?" Apparently, this produced a lot of head-shaking. ESET decided to go with the more low key demo you see here.)

Back then I wrote a couple of related articles on this blog:

Thursday, August 08, 2019

DEFCON III flashback: why hacking sucks

My session at DEFCON III back in 1995 has lived on as an audio recording (.m4b). Just scroll down this page: DEFCON III Archive. The title was intentionally provocative:

The Party's Over: Why Hacking Sucks

The idea was to generate dialogue about the ethics of hacking, and I think I succeeded. In fact, the audio captures that quite well.

(Bear in mind that this was 1995 and I've been to events in 2019 where organizers seemed incapable of capturing audio this well.

As someone who had been working on the computer security problem since the 1980s, I have to say I learned a lot from this session and really appreciated everyone's input.

I was invited back the next year and I will post a link to that DEFCON IV session when I find it again. My topic was how to go from hacker to infosec professional, but like many early DEFCON talks it went in several other directions as well (steam trains?).

Here is a link to initiate the audio file download for the DEFCON III talk, and yes, it is safe to do so. The audio is about 49 minutes long and while the sound starts out rough, it gets better quickly. The file is 18.2MB and the filename is: DEF CON 3 Hacking Conference Presentation By Stephen Cobb - Why Hacking Sucks - Audio.m4b

Monday, August 05, 2019

Experienced vendor-neutral panelist available to talk cybersecurity, cybercrime, data privacy, and more

Panel discussion at US Small Business Administration annual convention

Need a panelist who talks well with others?

(Updated January, 2024)
You have this great idea for a panel discussion at a conference, but to make it work you need great panelists. So you need to find subject matter experts who are experienced panelists, but not currently employed or beholden to any business or vendor.

Well, I could be that panelist, particularly if your panel involves technology risks, like cybersecurity, and adjacent fields like artificial intelligence, the cyber skills gap, cybercrime, data privacy, the digital divide, fraud and public health, and more (see my articles on Medium and LinkedIn).

These days I am a completely independent researcher who is also an award-winning technologist with 40 years of real world experience; and yes, a track record of well-received panel appearances.

So, if you're putting together a panel proposal, or your proposed panel was accepted but now you need panelists, take a look at my areas of expertise. If you think I might be right for your panel, let's discuss - you can reach me on LinkedIn or email scobb at scobb dot net.

Here are some of my areas of expertise and interest:
  • Cybercrime and cybercrime metrics
  • Cybersecurity education, skills gap, and workforce issues
  • Health harms of digital fraud and scams
  • Cyber-war and cyber-conflict
  • Data privacy and data abuse
  • New technology = risks and attacks (e.g. AI, IoT)
  • Public-interest technology and public policy related to the above
Here is me on video: