Aug 7, 2019

Hackers arrive via special delivery

A Miami Post Office employee unloads packages in 2015. Photo: Joe Raedle/Getty Images

If it's too hard to breach a network over the internet, hackers may successfully resort to mailing an employee a device designed to steal passwords or implant malware over WiFi, IBM demonstrated in a novel proof-of-concept.

Why it matters: Organizations spend millions of dollars in products, manpower and training to screen incoming internet traffic for malicious attackers, but this snail mail technique could see helpful office managers bringing a hack right to their desk.

How it works: A common way to break into networks is what's known as an "evil twin" attack, setting up fake WiFi access points using the same name as a target WiFi network.

  • IBM's X-Force Red, which companies hire to test their defenses against hackers, built devices that perform evil twin attacks and phone home with results. It then mailed them to employees they knew would be on vacation. In tests, the packages typically made it into the office without incident.
  • "People welcome packages with open arms," Charles Henderson, global lead for IBM's X-Force Red, told Axios. "And when people welcome an attack with open arms, that's the litmus test for us to get excited."

The devices cost around $100 to make and are small enough to hide in the kinds of corporate swag typically sent to companies as promotional items, providing cover for when employees eventually open the package.

  • IBM calls the attack "warshipping," a play on "war dialing," where hackers of yore dialed lists of numbers with their modems, looking for a computer to respond, and "wardriving," where hackers drove around cities looking for free WiFi that spilled out onto the street.

What's next: There are a bunch of clever ways to add onto the attack. Henderson noted if he sent a large box, people might carry it with the base around hip level — the perfect height to place a device that copies the radio chip on an employee ID.

  • Current versions of the attack already include a GPS chip. "We could follow the package as it went out for delivery," he said, "and find other WiFi networks along the route."

Go deeper: Why hackers ignore most security flaws

Go deeper

Experiencing a music festival with tech upgrades

Outside Lands festival in San Francisco, August 2019. Photo: FilmMagic/FilmMagic

Imagine being at a music festival, far enough from the stage that you can’t hear your favorite band well at all — except when you pull out your phone, log into a special WiFi network and instantly get the live music crystal clear into your earphones.

What's happening: Mixhalo, a San Francisco company, is making this possible, and this weekend it was quietly testing its tech at the Outside Lands music festival.

Go deeperArrowAug 12, 2019

Twitter CEO Jack Dorsey's account hacked

Dorsey at a 2018 interview at the Twitter India office in New Delhi, India. Photo: Burhaan Kinu/Hindustan Times via Getty Images

An anonymous user or users posted racial slurs targeting African Americans and promoted Nazi Germany on Twitter CEO Jack Dorsey's hacked account Friday afternoon.

Why it matters: This raises concerns about the account security of other noteworthy figures, including presidents and prime ministers.

Go deeperArrowAug 30, 2019

Database leaked 419 million phone numbers scraped from Facebook

Photo: Avishek Das/SOPA Images/LightRocket via Getty Images

A database of more than 419 million phone numbers taken from Facebook public profiles was accessible on the internet without any security, though it is now removed, reports TechCrunch.

The big picture: The database appears to have been compiled by an unknown group, taking advantage of users that kept their phone numbers in public profiles. Facebook stopped including phone numbers in public profiles last year.

Go deeperArrowSep 4, 2019