Hacking, Sci-Fi Style

Researchers at David Ben Gurion University in Israel have demonstrated controlling a toy rocket launcher attached to an air gapped computer by another computer nearby (see article).

There are lots of limitations to this attack, but still it shows how a motivated attacker  like the NSA or its competitors, can suck data out of a computer if they want to.

This is likely not an attack we should worry about protecting our home or business computer from, still it is impressive.

Current limitations on the attack include that there have two be two computers within 15 inches of each other, with one being the air gapped one and the other being connected to the Internet.  This is not an uncommon situation in places like oil refineries or nuclear power plant control rooms.

Both computers need to be infected with the malware and the data rate is really slow – about 8 bits an hour.  The key to this is to send very small commands and very small responses.

The technique works by raising the temperature of one computer a little bit and having the other computer’s heat sensors detect it and then lower that temperature for 1s and 0s.

The technique does suggest that physically separating those two classes of computers in a high security environment is probably a good idea.

The same folks at Ben Gurion previously showed that they could take an infected video card and use the FM radio receiver in a mobile phone to transmit data from the PC to the phone.  This new attack, while having a much lower data rate, is bidirectional.

The article also talks about the NSA version of these techniques.  The basis for that is documents leaked by Edward Snowden and dated 2008, so things are probably way better by now.

Tailored Access Operations Division (TAO) of NSA is known for modifying hardware, although with software getting a lot better, that is likely becoming less important.  If you mess with the hardware, you have to get physically near by either the manufacturer or the attack target.  With software, you can do it from the other side of the globe.

One NSA technique, called Cottonmouth-1 , embeds a tiny tranmitter and receiver into a USB connector to both extract data and inject malware.  It can transmit to a suitcase sized controller up to 8 miles away.  Obviously, this could be detected by spectral analysis (watching for unexpected radio signals) or RF shielding, but that would likely only happen in an ultra secure government facility (hopefully like an embassy or military installation) but if you are hacking bad guys or businesses, it is highly unlikely that they would detect it.

If you are into James Bond-esque stuff, Bruce Schneier talks about Cottonmouth, Straitbizarre, Genie, Chimneypool and Howlermonkey, among other NSA goodies here.

Facebooktwitterredditlinkedinmailby feather

Hilton Honors Web Site Flaw Found and Fixed

I have to both harass and complement Hilton.

Until recently, Hilton was offering Honors members 1,000 points to change their passwords.

First the harassment:

A security staffer at BancSec figured out that you could hijack any other Honors account by guessing or knowing the account number and making a small change to the site’s HTML.

The hacker could then redeem points, change the password and do anything that the hacked user would be able to do.

This might indicate a lack of white hat hacking on Hilton’s part.

And now the complement part:

After being informed, Hilton immediately blocked password changes, effectively stopping, at least, the hijack part of this hack.  Hilton quickly fixed the flaw as well.

This hack, a cross site request forgery attack (see here), exposed some design flaws also.  For example, Hilton did not require you to enter your old password when you changed your password.   If they had, the attackers in this case would not have been able to hijack random accounts because they did not know any of the existing passwords.

Apparently, the 1,000 point reward was designed to speed up the migration from Hilton’s old 4 digit PIN login security to an 8 digit complex password.  The old 4 digit PIN security caused a large number of Hilton Honors accounts to be hijacked last year.  Users will be forced to select a password starting April 1st if they try logging on with their PIN.

Facebooktwitterredditlinkedinmailby feather

Target Agrees To $10 Million Fund For Breach Victims

UPDATE:  KARE11 in Minneapolis is reporting that if you include attorney’s fees and other costs, Target will be on the hook for around $25  million  (see article) and that payments could begin as early as April 30th.

NPR is reporting that Target has agreed to set up a $10 million fund for victims of last year’s credit card breach.  The agreement still has to be approved by the judge.  Individual victims could get up to $10,000.

The agreement says that Target will appoint a chief information security officer (I am surprised they don’t have one), create a formal information security program and train employees.  None of this is earth shaking.

What is earth shaking is that victims will be able to be reimbursed for:

  • unauthorized and unreimbursed credit card charges
  • Time spent addressing charges
  • Fees spent to hire someone to fix their credit report
  • Higher interest rates on accounts
  • Credit related costs like buying a credit report
  • costs to replace IDs like SSNs or phone numbers

Victims will have to provide a reasonable documentation.

Target is still having hard times after the breach, recently announcing it will close all 133 Target Canada stores laying off 17,000 employees.  Earlier this month they laid off another 1,700 employees and cancelled 1,400 open positions.

The reason why this agreement is important is that it sets a precedent that breached businesses are responsible for protecting information and are responsible for victim’s costs for dealing with the after effects of a breach.

For the most part, up until now, businesses said that they would offer you credit protection and besides that, all the other costs were your responsibility.  After all, the credit card companies and banks eventually credited your account, returned overdraft charges and such.

This precedent may also mean that businesses could be liable for the effects of other, non-credit card, stolen information.

What is not clear is how or if this affects other suits pending, such as the ones the banks have initiated to recoup their costs of replacing credit cards.

 

Facebooktwitterredditlinkedinmailby feather

Email privacy

The Electronic Communications Privacy Act was written 29 years ago.  Before Google.  Before Facebook.  Even before AOL.

The rules that ECPA set up were based on how we worked 29 years ago.  While there have been many attempts to change ECPA, including the Electronic Communications Privacy Act Amendments Act of 2015 (ECPAA), none, so far, has passed.

The big issue, from a privacy standpoint, is that ECPA assumes that if you leave something in the cloud for more than 180 days, it is basically abandoned and therefore, your assumption of it being private is nullified.

Of course, anyone who uses GMail or Facebook Mail or whatever mail leaves all of the IMPORTANT stuff in the cloud for more than 180 days. It’s the junk that gets deleted.  The stuff that you save may not be private to you, but it may be.

ECPA says that if you leave your email in the cloud for more than 180 days, law enforcement can get a copy of whatever is there without having to convince a judge to give them a warrant.  All they need to do is send Google or Microsoft or Facebook a letter saying that they want it and that it is relevant to an investigation.

This is ANY law enforcement person from the local sheriff in a two person department to the FBI.  Anyone.

I am not sure that applies to other stuff stored in the cloud for more than 180 days but I will ask some folks and see what the answer is.

The only way you can mitigate this is if your email is encrypted.  The encryption that Google or Facebook does is irrelevant because they have the keys.  The only encryption that will affect this is end to end encryption where you control the keys (like PGP and it’s off shoots).  If it is encrypted it does not mean that the NSA cannot hack it, but it will definitely reduce random snooping.

For most of us, we live boring lives and there is not much of interest in our email.

Still, we frequently read where medical personnel are fired for snooping on friends, not so friends (ex-spouses) and celebrities medical records because of curiosity.  We hear about that because institutions are required to monitor and report on unauthorized access to medical records.  That does not mean that all institutions do monitor access, but they are supposed to.  It is much more likely to be detected at larger institutions where they have more sophisticated IT groups.

There is no such rule for law enforcement snooping, so we have no clue how much curiosity snooping occurs in this realm.  Google and Facebook report aggregate data at a very high level (For example, Google said that they received 3 requests for information from Estonia in the first half of 2014 and in 67% of those cases, they provided some information.  In that same period, they received 12,000+ requests in the U.S. and in 84% of the cases, they provided some data).  See Google Transparency Report for more information.

Govtrack says there is about a 1% that ECPAA will pass this year.

Facebooktwitterredditlinkedinmailby feather

Man Arrested At Border For Refusing To Hand Over Phone Passcode

CNet wrote about a man who was arrested at the Halifax (Canada) airport for refusing to hand over the passcode for his cellphone to the Canadian border agents.

Even if you are not paranoid, it should make you think about what gadgets you take across the border.  Here are some details of this case.

He runs the risk of a fine of between $1,000 to $25,000 plus possible jail time.  His hearing is scheduled for May 12.

The Canadian customs act authorizes officers to examine all goods and conveyances.  That includes cell phones and laptops.

The CBC reports that the issue of giving your passcode to border agents has never been litigated in Canada.

In The U.S., the Fifth Amendment  exists to protect you from incriminating yourself.  Most courts agree that passcodes are testimony, but there have been some dissenters.  There was a case in Denver where a man was ordered to unlock his laptop and another recent decision about unlocking an iPhone that was locked with a fingerprint, but neither of these cases made it to the appellate level.

U.S. border agents have similar authority as Canadian agents.  They don’t need warrants and they don’t need probable cause.

Two  good practices when you travel abroad are (a) don’t have illegal stuff on your gadgets and (b) to the maximum extent possible, don’t take your digital gadgets across the border.  Remember, we are talking about both U.S. and foreign border agents.

There are lots of techniques to consider  such as using a VPN to eliminate the need to carry data across the border.

Even if you are not concerned about the border guys looking at your laptop, there is one thing I would definitely recommend and that is to make sure that you have a good backup of your phone, tablet and laptop – whatever toys you do take with you.  U.S. Customs can legally keep your toys for 30 days if they decide they want to with no warrant and very limited probably cause, which means you would lose access to your data and, of course, your toys could get lost or stolen abroad, just like at any other time.

Just food for thought.

Facebooktwitterredditlinkedinmailby feather

GoDaddy Vulnerable To Social Engineering

CSO Online wrote an article on how easy it is to compromise the controls that ISPs and domain registrars have put it place.  I will describe it in more detail in a minute, but here is the short version:

Businesses are much more concerned about keeping customers happy than they are about keeping customers secure.

Sorry, GoDaddy, but that is the truth.  The article’s writer and his friend, a security guy, set out to test GoDaddy’s security.

Here is the crux of the problem:  GoDaddy support says that account resets are a simple process.  If you have forgotten your username or customer number, no problem.  Just click on a link and we will make you happy.  Or you can call them.  Account resets should not be a simple process.  At least you should make the hacker or terrorist work a little bit.

In this case, they called customer support.  They asked for the domain registration information (which is available to anyone on the planet with access to the Internet via Whois or other domain tools).  You can use private registration services to make this harder, but most registrars charge extra for this.  One big registrar that does not charge extra for private registration is 1&1 Internet.  I would say that this is not a security measure, but they would say it is.

GoDaddy asked if the attacker had access to the account’s email.  He said no.  GoDaddy said no problem.

GoDaddy asked for the account PIN.  Didn’t have that either.  Still no problem.

GoDaddy asked for the last 4 of the credit card for the account.  Didn’t have that either.  Still no problem.

The psuedo-attacker was good at making up reasons for why he didn’t have any of this information, but still, he had none of the information.

The final step was to ask the customer to fill out a form and include a copy of a government issued ID.  Of course, no one at GoDaddy has heard of that little used program called Photoshop.

So, after a little work with Photoshop, the attacker-friend submitted the paperwork to GoDaddy.  Apparently, unlike customer service, the people who read paper forms only work first shift on weekdays, so the attacker was slowed down by submitting the paperwork Friday evening.

Monday morning the attacker received an email from GoDaddy at the fake GMail account he had set up for this purpose saying the accounts were registered to a business, so there were additional steps – they needed to contact the business.

Again the attacker made stuff up – this is not a real business, I just thought I had to put something in the blank on the form so there is no one you could call.  Of course, the CSR could have tried to see if the business existed with a Google search, but that, for you Star Trek fans, would have violated the prime directive – a happy customer is one who continues to let us charge his credit card.

At this point, the attacker had control of the domain account and every email that is associated with it.

Not bad for no information and a couple of hours work.

This technique is a favorite of terrorists and hackers.  It is easy and basically untraceable.

To be fair to GoDaddy, MOST businesses are susceptible to this form of attack, whether it is your local department store web site, a registrar, the electric company or whatever.  Social engineering is pretty easy because of the prime directive above – keep the customer happy.

So, until businesses (and really consumers) push back and say if you can’t provide the account number or credit card number or PIN or have access to the account’s email, then we are not going to help you, it will continue to be very easy to attack someone.  AND, it is really only a little bit harder for the attacker to get one of these pieces of information.

A few security product companies will tell you that if you forget your information then you are out of luck .  Absio is one and Silent Circle is another, but this is very rare.  Because, for the most part, customers are more concerned about convenience than they are about security and until that changes, hackers and terrorists won’t have to work very hard.

GoDaddy’s response after the fact was pretty classic:

  • No system is perfect.
  • Creating a fake government ID is illegal so since you brought our bad policies to our attention we might report you to the authorities (they apparently didn’t do that either – more weakness in the process).
  • We are going to hold our breath until we turn blue if you ever do this again or write about it.

Well, they didn’t really say the last one, but the other two are true.

I have said for years that in a battle between security and convenience, convenience will always win.  GoDaddy proved it. Again.

Mitch

 

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed