Category Archives: Computer Security

App Privacy Workshop (Updated)

I gave an application privacy workshop at Code for Boston on Tuesday. They recorded my talk on Facebook:

and on YouTube:

I posted the slide deck as a PDF. Feel free to offer suggestions in the comments.

Some of the topics I need to add to the presentation:

  • highlight privacy and security testing;
  • having development/test servers and how to sanitize the data in the development/test database;
  • more about SQL/XSS Injection attacks;
  • review the video for other topics to add.

GoPro as computer virus infection vector

I came up with an idea of using a GoPro to infect someone’s computer with a virus.  A quick search didn’t turn up anything specifically about it, though GoPros have been hacked to be surveillance devices:

For what it is worth, the idea is below.

Why

Your target is someone who has decent computer security procedures.  Doesn’t trust random USB sticks, keeps OS up to date with security patches, has good passwords.

What is needed

  1. A person to appear to be assaulted.  Considering a GoPro is involved, a bicyclist would be ideal. The person assaulted has to be someone the target will identify with and want to help;
  2. One or more people to assault the first person. My guess is that it would work better if they were police or appeared to be police;
  3. A hacked GoPro that can infect the target’s computer both via the SD card and the firmware via the USB port;
  4. A tote to encourage the target to take the GoPro and report the assault.

The process

  1. Stage the assault where very few people can witness it, but the target will be;
  2. Person assaulted wears the GoPro on a hat (or more likely helmet) and records the assault;
  3. Person assaulted is taken away, but the hat/helmet with the GoPro is knocked off the person’s head and left behind;
  4. Target, seeing the assault picks up the GoPro, takes it home. If target is reluctant to take it home, tote encourages them;
  5. Once home, target plugs in the SD card or GoPro via USB and is infected.

Not to say that this method will always be successful, but it could work for certain targets. Something to keep in mind if you think you could be a target.

So if any Hollywood studios, spy agencies or criminals want to use it, renumeration is not expected, but attribution is always appreciated.