Friday, August 30, 2019

Potentially malicious use of QR codes and NFC chips

Like any technology,  QR codes and NFC chips can be abused and misused for selfish or criminal purposes. I was reminded of this by a recent Dark Reading article by Chris Franklin, Jr. titled "9 Things That Don't Worry You Today (But Should)."

One of the things that Chris highlighted was QR codes and when I saw this particular page it reminded me that I had written about the abuse of these codes myself (seven years ago). In fact, I not only wrote about them, I did some research on them and an adjacent technology, the NFC chip (both can be used to trigger events in an information system, and they are cheap to implement, easy to program, and also very thin). 

I made a very short video to demonstrate one potential type of abuse - tricking people into visiting a malicious website. Here is the video, with thanks to my former employer, ESET, for giving me the time and resources to make this demo:


As you can see, there is plenty of potential for hijacking or misdirecting people's interests via both QR and NFC technology, and I am indebted to my former ESET colleague, Cameron Camp, for pointing some of these out, way back in early 2012.

(Funny story: about that time, Cameron was in Hong Kong to speak at a security conference and noticed the extensive use of QR codes in public transportation vehicles. He pointed this out to a company exec who was there and said, "How about I write a blog post showing how someone could print their own codes on sticky labels and just plaster them over these legit codes?" Apparently, this produced a lot of head-shaking. ESET decided to go with the more low key demo you see here.)

Back then I wrote a couple of related articles on this blog:
Enjoy!

Thursday, August 08, 2019

DEFCON III flashback: why hacking sucks


My session at DEFCON III back in 1995 has lived on as an audio recording (.m4b). Just scroll down this page: DEFCON III Archive. The title was intentionally provocative:

The Party's Over: Why Hacking Sucks

The idea was to generate dialogue about the ethics of hacking, and I think I succeeded. In fact, the audio captures that quite well.

(Bear in mind that this was 1995 and I've been to events in 2019 where organizers seemed incapable of capturing audio this well.

As someone who had been working on the computer security problem since the 1980s, I have to say I learned a lot from this session and really appreciated everyone's input.

I was invited back the next year and I will post a link to that DEFCON IV session when I find it again. My topic was how to go from hacker to infosec professional, but like many early DEFCON talks it went in several other directions as well (steam trains?).

Here is a link to initiate the audio file download for the DEFCON III talk, and yes, it is safe to do so. The audio is about 49 minutes long and while the sound starts out rough, it gets better quickly. The file is 18.2MB and the filename is: DEF CON 3 Hacking Conference Presentation By Stephen Cobb - Why Hacking Sucks - Audio.m4b

Monday, August 05, 2019

Experienced vendor-neutral panelist available to talk cybersecurity, cybercrime, data privacy, and more

Has this happened to you? You have this great idea for a panel at a conference, but you need to find great panelists, preferably people who are subject matter experts, but are not employed by a vendor, yet they do have experience as a panelist.

Well, I am one such person: a completely independent researcher specializing in cybersecurity and data privacy who is also an award-winning technologist with 30 years of industry experience. And yes, I have a track record of well-received panel appearances.

So, if you're putting together a panel proposal, or your proposed panel was accepted but now you need panelists, take a look at my areas of expertise. If you think I might be right for your panel, let's discuss - you can reach me on LinkedIn and DMs are open on Twitter.

Here are some of my areas of expertise and interest:
  • Cybercrime and cybercrime metrics
  • Cybersecurity education, skills gap, and workforce issues
  • Cyber-war and cyber-conflict
  • Data privacy and data abuse
  • New technology = risks and attacks (e.g. AI, IoT)
  • Public-interest technology and public policy related to the above
Here is me on video: