The worlds of physical and information security are quickly merging into one but people are still trying to take shortcuts.
By now most people have heard news reports about bizarre crimes where stores are receiving bomb threats over the phone and are forced to wire money to some unknown account or the store will get blown up. Evidently the anonymous caller convinces the store employees that they are being observed, makes them sit in a circle or take their clothes off and then wire the money. You can read about these crimes here, here and even here that are taking place across the country from Maine to Kansas.
So how is this possible? How can someone be observing store employees from outside the store? Some of the police officers in the above linked stories think it must obviously be the work of evil hackers who broke into the stores security systems over the Internet. I think it was said best by Hutchinson Kansas Police Chief Dick Heitschmidt when he said “If they can access the Internet, they can get to anything.” (Brilliant! Why is this man wasting his life in law enforcement?)
Actually Chief they don’t even need access to the whole internet, just Google. Take a look at these Google searches, like this one or this one. Those are default web pages for security cameras. Come on, you didn’t think people actually still used old VHS tape for those things anymore did you? It is all IP based and digital. Most people are just to lazy or stupid to setup a robots.txt page to even just change the default passwords. As a result the video feeds from the security cameras are available to anyone with a net connection.
So your criminal does a few Google searches, finds an interesting camera or two, figures out what store they belong to and then makes a phone call. Pretty simple, kinda surprised this hasn’t happened before now.
It is worse than that really. A lot of companies are connecting things like their electronic door card access systems, alarm systems and other security systems to the network. Bomb threats via telephone are what happens when they get access to the video cameras what would happen if they had access to everything else?
Just remember if you can access something over the net then the bad guys can to if they want to bad enough. The key is to make it hard for them, you can start by changing the default passwords.
Archive for the “Current Events” CategoryOnce in a great while a technology reporter seems to ‘get it’ and publishes an acurate article without the FUD and fear mongering that usually accompanies a security related news item. When that happens it should be recognized. Take a moment and read “Middle Amercia, Meet the True Hackers” by Andy Greenberg at Forbes. So the folks over at Independent Security Evaluators claim to have found a remote iPhone exploit. Evidently this is big news as it has already garned an article in the New York Times (talk about media whoreing) and been granted a coveted speaking spot at the Blackhat Security Briefings early next month. Must be a pretty bad spl0it to get all this attention, right? Doesn’t sound like it, more like they were just the first folks to find a decent sized hole. Sure there have been other holes found, like figureing out how to change the color of your charging battery from green to neon pink or bright blue, or managing to hack in a custom ringtone or the big one of being able to bypass the AT&T activation but still be able to use the phone. These are all kind of rinky dink holes though, nothing that puts your personal data at risk. This new hole claims to do just that. According to the folks at Independent Security Evaluators thier proof of concept code can read the log of SMS messages, the address book, the call history, and the voicemail data. Pretty damning stuff to be sure. So why is this not a big deal? First of all the delivery method is little convoluted and requires some social engineering to convince the user to visit a compromised web page or to use an untrusted wireless network. These are the same attack vectors that plaque laptops and other PDAs, nothing new here. What is new is that this effects an iPhone, that is why it is getting the press. I also suspect that this will be pretty trivial to fix. From the details that have been released so far I suspect that just by altering iPhone’s Safari to prompt the user when downloading and running applications should do the trick. So basically continue safe computing practices, don’t be complacent and don’t put to much trust in your devices and you’ll be fine. Vulnerabilities that require user interaction like this one aren’t what you should be worrying about, attacks that compromise entire cell sites and infrastructure like the one that hit the Greece Olympics or the hack that hit Paris Hilton are what should be keeping you awake at night. I know what your thinking, “Not more iPhone! Enough Already!” yeah, I know me to, but seriously there is just to much FUD floating around out there. FUD from reputable places such as Gartner. Well, OK maybe not that reputable but people still listen to them for some reason. They released a white paper last week telling IT Managers to avoid iPhone because it is insecure. What a load of rubbish. The big complaints seem to be USB, IMAP and WiFi. Actuallly there is a lot more FUD floating around other than just that but I’m just going to focus on the security complaints. Evidently the fear with USB is two fold, one that users can steal company secrets and two that users will fill up their machines with iTunes music. USB thumb drives and MP3 players have been around for, I don’t know, a long time now. USB mass storage devices can be disabled on both Windows and MacOS. If your IT department hasn’t figure out that these are threats by now you have much bigger problems than an iPhone. For some reason WiFi is suddenly a new threat, or I guess it is only a threat when it is integrated into iPhone. How is this any different than a WiFi enabled laptop? As long as iPhone supports standard encryption protocols like WPA it is no better or worse off than a roaming laptop, at least for protecting your data in transit over the airwaves. For data stored on the device that is another issue. It is unknown if iPhone has a firewall of any sort to protect it from WiFi attacts. However, considering that iPhone is based on OSX which has a firewall built-in it is a pretty good bet that iPhone will have one as well. OK, so now we have proper mass storage device controls in place, we have encrypted our WiFi and turned on the firewall what else could possibly be an issue? What’s that? email you say? Simple IMAP? IMAP is a security issue? Since when? Oh, I see your just so used to using MS Exchange and RIMs Blackberry Enterprise server you don’t know how to use anything else. Oh, by the way, MS Exchange supports IMAP. Of course you don’t get all the funky features with IMAP that you get with Exchange/Blackberry like being able to revoke all of a users email when you fire them. I suspect Apple will have some interesting iPhone features inside of Mac OSX.5 Leapord later this year. About the only security questions I have with iPhone is wether or not it supports IMAP over SSL. or IMAPS. Considering that the iPhone has Safari built in I suspect that support for SSL will be included. There are even some security features that will probably be in iPhone that haven’t been announced yet. Quick and easy firmware updates. You probably didn’t even realize it but iTunes will update your iPod firmware automagically with just the click of a button. It will be just the same with iPhone. If a problem develops Apple will just release a firmware patch that will automagicallly get applied the next time the user syncs. When was the last time you updated the firmware on your cell phone? Ever try to even look for a firmware update for your phone? iPhone will run a modified version of OSX. That will likely include some form of FileVault, Apple’s encryption technology for user files. Thats right, encryption built right in. This hasn’t been announced and it might not be in there, but if the technology and the code already exist why not put it in? iPhone looks to be just about as secure or even more so (no propritary and closed backend) than a Balckberry, Treo, or Blackjack. Everyone saying otherwise is either a paid MS schill, astroturfing, or just plain idiots. iDefense just announced a bounty of $16,000 for remotely exploitable zero-day flaw in Apache, BIND, Sendmail, OpenSSH. IIS, or Exchange. This comes on the heals of the $10,000 plus a MacBook recently awarded by CanSecWest for remotely exploiting an OSX laptop. While there are similarities between the two offers (not to mention iDefense and others standing bounty programs) both of these challenges raise the bar for spl0its. While $10K isn’t exactly chump change it is definitely worth a few days of banging away to find a hole in a system. In the case of iDefense’s latest offer of $16K many researchers are claiming that it is just not enough to motivate them to invest the work required to find such a hole in the listed software packages. For the vast majority of researchers I suspect that this is true. The people capable of finding these holes all have jobs that pay at least five times that much if not more and if they don’t they should. $16K to them is probably chump change, at least compared to the effort and work required to find a viable exploit in these very robust packagaes. However, I suspect that there are smart people elsewhere in the world for which 16,000 United States dollars might actually mean something. People who might be willing to put in the long hours and hard work required to find such a hole. If such a hole is found the question then becomes if it is worth only $16K or can they make more from it elsewhere? Think about it. A remote code execution vulnerability found in Sendmail, Apache or OpenSSH, what could you do with such a hole if not tied down by morals and ethics? Would you sell it for a measly $16K? But really, sploits for dollars? Is that really the type of security model we should be promoting? Unfortunately the days of finding holes for sheer thrill, the glory, and the girliez seem to be far behind us. Is finding holes for a bounty any different than finding them for a salary? The bigger question of course is disclosure. How holes are found isn’t as big an issue as what happens after they are discovered. Should the hole be disclosed or kept secret. If it is to be disclosed should there be a delay until a patch is available or announce immediately and leave unknowing people vulnerable? Should all holes even be patched? Sploits for dollars. Maybe a new reality TV sports show? So by now you have probably heard about the MacBook Pro that was compromised at CanSecWest last Friday. Here is a quick recap if you missed it. A MacBook Pro with all updates applied on a wireless network, if you can break in you win the laptop. Well, after two days no one broke in so the rules where relaxed a little and the MacBooks where allowed to surf to malicious webpages. You can read more details here, here, here, here, here, and probably a few dozen other places. Over and over people tell me that a product, service or other item is secure because someone else important uses it, and they are sooo important that they would never ever use or do anything insecure. So basically what they are saying is that “I trust them so I will do what they do.” The problem with this is they don’t really know how that other person uses a particular product. Perhaps they made a change to make it more secure or made a change and unknowingly made it even worse, or made no changes and it is just a crappy product to begin with! Lets take for example the millions of people that run their credit cards through POS systems all over the country. Those systems must all be secure right? Banks wouldn’t let those swipe machines be easily hackable would they? Well they would if they were the brand used by Stop & Shop Supermarkets. The POS systems you normally use where secretly replaced by (Folgers Crystals!) hacked POS systems that still validated your purchase but recorded the information for later retrieval. (Pretty cool hack if you ask me.) But, but, but thats a small company, I only trust big companies since they would never leave their data unsecured! They would if they where TJX who had people rumageing through their network for over 17 months before the breech was discovered. But those are brick and morter shops, they always have problems. Reputable online companies don’t have those sorts of problems. Maybe not, unless you use products from Intuit whose online TurboTax filing system temporarily exposed tax returns including social security numbers and bank account numbers to anyone who asked. While the time between discovery of the hole and its closure was pretty short it is unknown if it was discovered and abused but not reported even earlier. Hardware, I trust hardware. All that software stuff is easy to break but give me some good strong hardware anyday. You mean hardware like the Secustick, a USB flash drive that automatically encrypts its contents and supposedly self destructs if tampered with? So secure that even the French governement trusts it? Thats the kind of hardwrae you trust? Not so fast, its pretty trivial to break that as well. So be careful who you trust, and don’t depend on others to make the decision for you. Treat your data and personal information as sacred. Trust no one. I have been trying to beat people over the head about cell phone security issues for years. It amazing how much people trust those things. They look at it like a microwave or a refridgerator and not a small computer. They think it is a small inpenatrable box that only they have access to. But, but, but, but the Government uses them! My FBI buddy uses his Backberry all the time! Why they must be secure if they use them on Wall Street! Idiots. I am glad to see I am not the only one who undestands the risks involved. When your setting up party plans for the weekend and sending text messages back and forth who cares? But when you start flinging business critical powerpoint presenations around, or worse yet new email passwords, things become a little more important. I think every C level officer in your company should be forced to read this Ten dangerous claims about smart phone security And then print it out and post it in the breakroom. No, they won’t believe you at first but eventually, hopefully, after you beat them over the head with it enough times they may come to accept it. Myths number 4, 8, and 9 are my favs. 4 is Encryption. People hear that word and think all is right with the world. Most smart phone encryption is like useing an armoured car to transport a million dollars from a homeless guy on a park bench to a another one living in a card board box. Whats the point? Myth 8 is about deleted data still being on the phone. Most people I work with know that when they delete stuff from the computer it is still there, why can’t they understand that it is the same with thier phones? And Myth 9 that spying on the phone is hard, wasn’t there a case recently where a Walmart employee (or was it Best Buy?) was caught evesdropiing on his bosses text messages? I suspect that cell phone eavesdropping is a major tool of industrial espionage. Personally I still use a seven year old Samasung SPH-N200. Black and white screen, no text messageing, no nothing, but it does what it is supposed to, make phone calls and record voicemails. And it still looks cool enough to get stange looks when I am using it. “Wow, thats a cool old phone, retro even.” Hehehe. Hint: Click the Print me button at the bottom of the page so that you don’t have to click through five pages of ads. |
Entries (RSS)