Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Nobody penetration tests a Fortune 500 company looking to see if they can light up the cameras on worker desktops.

This surprises me, to some degree. Compromise a machine or laptop privvy to sensitive information -- meetings, phone calls, etc. -- and you might have access to valuable information.

These days, I guess that could include the sound of passwords being typed in, for which keystroke analysis software was making the headlines a couple of years ago.

Part of me is not surprised. Few people think of all the ways around security. But, big dollar pen testers should.

I would presume that firewalls have some success in keeping such malicious data streams from exiting the internal network. Then again... How can one distinguish them from all the legitimate IP-based conferencing going on, these days?

P.S. I suppose in part it is security through obscurity. Being able to identify a useful target and pick out the valuable bits of information. When you're simply spraying exploits, that's probably a needle in a haystack with regard to this kind of information. Or at least, needing of much more attention that waiting for your software to pass back a log of user name and password fields, cookies, etc.



Replying to myself. I am certainly no expert, but both on my own and more so perhaps simply extrapolating from what I hear about, I imagine circumstances that, a few years later, I seem to end up reading about.

But, that's not the point of my reply. That is, that I am not an expert, and I seem to be drifting further and further away from relevance in conversations, these days.

So, I think it is time to unplug myself. Maybe still browse, but enough of my comments.


Does it seem likely that this is the easiest way to get that information, however? If you get someone's email or files you get what is likely to be more detailed information in a conveniently easily searched and summarized form but if you get an audio recording you either have to listen to it yourself or spend time getting a high-quality speech recognition system up and running.


The zero-days used on high-dollar commercial pentests give attackers remote code execution.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: