Do your workplace policies cover wearable devices? Many commercial and Government facilities ban cameras and cellular phones with cameras, but having such policies and not enforcing them can hurt you in the wake of a successful attack.

If you routinely ignore a security policy and someone violates it, then you may be left holding the bag — I’ve seen it play out in criminal charges.

Today’s risk is increasing.  Uncontrolled wireless devices are being introduced in increasing rates — from Smart Phones to tables, we’ve all started to deal with mobile device security issues, but what about wearables?

The most obvious device that’s going to produce a plethora of security and social issues is Google Glass and it’s clones.  From company secrets to Human Resources issues (staged and real) to non-work activity, the always-available video recording of the workplace environment means new risks in data loss prevention (DLP).

Traditional DLP solutions don’t work on still images, let alone video streams.  A customer service agent could record all transactions for a day without much effort.  Retail clerks and wait staff could easily record all credit cards, including validation codes.

Accident and insurance fraud from staged accidents in retail environments and automobile worlds are common.  Staged falls, baited hostile workplace reactions and false sexual harassment claims are going to make both customers and employees who are prone to commit fraud on their own, or as a part of an organized group, may be facilitated by wearables.

Even if the employee themselves aren’t malicious, these devices and their data streams are going to be vulnerable to both malicious code and data theft.  Think about the amount of thought your least-savvy employee puts into the selection of applications for their Smart Phone.  Now imaging an always available, object and text-identifying device hanging off his ears and the bridge of his nose!

Moreover, as the technology matures, other wearable smart devices are going to create personal area networks (PANs) to interact with one another.  Every manner of sensor available is going to be connected to clothing and accessories, and all that data will measure, quantify and collect everything in the work environment.

While attackers have long searched source code for bugs, they’ve always needed a copy of the program.  Traditional corporate perimeters have sometimes made that acquisition more difficult.  Home-based tele-workers and laptops made that perimeter more porous, but streaming wearable devices may make that pattern matching even more removed from the source material.

It’s not just video either!  We’ve known for several years now that we can reconstruct keystrokes based upon sound input- from recorders, speakerphones and Voice Over IP (VoIP) systems, this threat has started to emerge slowly, but will eventually gain more traction.  What’s next?  Motion sensor readings from a smartwatch?

As wearable smart devices become more common, they may be as ubiquitous and as ignored as cameras on phones are today.  Policies and procedures are the first defense, but eventually we’re going to need technical measures to help protect customer data, sensitive information and even personnel from staged events designed to provide leverage over employees or management.

The post Wearables in the Workplace, Get the Policy Right Today appeared first on Security Current.

We’ve all had or seen server room doors protected by combination locks.

Most safes these days are protected by electronic keypads, like the ones used to safeguard on-site backup tapes. Using digital keypads, one’s fingers transfer a minute amount of heat to each key pressed.

This heat can be read by thermal imaging cameras for a short period of time after the keys have been pressed.

These cameras detect and display a large swath of the infrared (IR) spectrum.  So, if you are using a keypad to access a door or a safe you are at risk.

A 2005 report, “Cracking safes with thermal imaging” by Michael Zalewski was the first to bring this threat to the forefront.  Since that time, sophisticated attackers and penetration testers have tried to take advantage of the infrared technology used in these types of attacks.

Three researchers, students at the University of California, San Diego (UCSD) recently followed up on the findings with their own study, “Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks,” which automates the code acquisition using metal and plastic Automated Teller Machine (ATM) keyboards.

The researchers found that the rate of successful recovery rose when recovery was automated.  For example, within one minute of the personal identification number (PIN) being entered, recovery via visual inspection was 20-30% while automated recovery was approximately 50%.

Thermal imaging cameras can be rented for under $2,000 a month and thermal probes for microcontrollers can be purchased for dollars. The camera used by the researchers retails for about $18,000.

Keaton Mowery, one of the UCSD researchers and authors of the paper, shared with securitycurrent a few key findings about the data:

• The key presses added 2-4 degrees to the environment, dissipating over 20-40 seconds, depending on how warm the subject’s hands were.  Since people’s hand temperatures can vary widely, changing the ambient temperature isn’t likely to impact things a great deal.
• Subsequent key presses that aren’t part of the PIN were effective in masking the PIN.
• Insulating or think gloves are also very good protection from PIN discovery.
• Seven of the twenty-seven codes tested had repeat digits, and while figuring out which digits were pressed was still accurate, the software struggled to identify the actual key code used.

These types of thermal-based attacks are of concern because the victim isn’t aware of the attack, and doesn’t know their credentials have been compromised.  Moreover, since the attacks aren’t common knowledge yet most people don’t know to try to prevent them.

An attacker simply has to point a thermal imaging camera at a safe keypad, door button combination lock or ATM keypad and within a couple of minutes of a legitimate user entering the PIN or combination it is known to the attacker.

There are some steps that can be taken which help make an attacker’s job more difficult or block attempts to use thermal detection to carry out these attacks. Some of the steps you can take are:

• Pressing random keypad digits after opening a lock or using an ATM can help throw off an attacker.  Mowery recommends pressing non-PIN/combination digits to mask the true numbers.
• Wearing gloves is another obvious protection, though it’s not practical for all users.

Similar attacks have been documented, such as the 2010 paper by researchers at the University of Pennsylvania, “Smudge Attacks on Smartphone Touch Screens,” which detailed the recovery of smart phone PINs by photographing the fingerprint smudges on their screens.  Going from PINs to passwords without obvious patterns or meanings on smartphones is a decent mitigation tactic for that particular attack.

Each of these attacks falls into the realm of physical security but leverages technology like thermal cameras to carry out.  Most IT Security departments don’t focus on physical security, and very few organizations change lock combinations with any frequency.  In the end, if securing access to these areas that contain sensitive information is paramount, it is advisable based on the research to supplement these keypad locks with radio frequency identification (RFID)-based badge readers to prevent thermal-based attacks.

The post Thermal Imaging Attacks; Research Heats Up! appeared first on Security Current.

Bring your own devices (BYOD), USB flash drives, signing into compromised personal web-based accounts from work, and shared passwords. These are some of the reasons for information security professionals to train their employee user base, even when it’s about apparent non-work related computing resources.

Becoming visible to your non-security enterprise end users as a security resource is key. The more your users interact with you in a security context, the better off your organization will be. End-user outreach programs, lunchtime online safety and online parenting safety classes are just a few examples of time well-spent when it comes to your end-users being more communicative with you.

We’ve all seen computer security incidents where the first indicator of an event was an end-user’s help desk issue in the form of full disks, password problems, and slow networks. Infosec professionals should leverage the helpdesk trouble ticket system as early-warning RADAR.

As this may be the first sign of an issue, you want to encourage the use of the help desk for all reports and that means following up on trivial tickets and thanking the reporter and consistently reminding them that it’s in their best interest to report everything.

More progressive organizations ensure that home user information security practices and training are available to employees so they don’t do something at home that could potentially impact the organization’s security posture.

That thumb drive of baby pictures coming from an infected home PC will bypass your security perimeter. That jail broken smart phone will be plugged in to charge and mount on the work PC. That salesperson’s laptop will be used for personal surfing on the road. All of these are threats to the enterprise, and while we can create policies and procedures to limit the exposure, providing expertise, software and training will help to backstop those policies and procedures.

The other advantage of working with your user’s knowledge of overall infosec practices is that you can take the better ones and make them more responsible for overseeing and reporting issues in their areas of operations. That effectively gives you a reserve information security force as well as organizational visibility into end-user practices and concerns.

For additional information and an enterprise IT security officer’s perspective read: If You Host It, They Will Come

The post Sometimes Your Employees Go Home; The Case for Securing Home Users appeared first on Security Current.

Wireless cameras, RFID key cards, keyboards, cordless phones, just about every wireless technology that isn’t light- or sound-based will attract a hoard  of researchers (and attackers) looking at ways to exploit  them. Are you prepared?

It is now known that your car’s GPS, toaster and medical devices are vulnerable to attack.  For the most part, built without protection in place, many of these devices are now being retrofitted with security. But did you know that your WiFi devices likely are just as vulnerable?

Enter Software Defined Radio (SDR). Frequency hopping, modulation schemes and other signal processing happen in software rather than specialized hardware. It is the ultimate in convenience for eavesdroppers seeking confidential information.

Like much firmware, many radio devices were not built with security in mind. This makes them vulnerable to attackers on cellular communication systems, Bluetooth™ keyboards, RFID/NFC devices (contactless communications), WiFi, Radio Data Systems (RDS) and other devices.

Case in point.  Bluetooth keyboards.  A relatively inexpensive (about $120) device called the Ubertooth was designed and manufactured to explore Bluetooth transmission part of the radio spectrum and was quickly picked up by pen-testers.  The Ubertooth’s “random” frequency-hopping mode is predictable enough to make it possible to monitor  Bluetooth hardware.  Users can be tracked by their Bluetooth devices if strategically placed Ubertooths (teeth?) are positioned along their route.

Brace yourselves though — Michael Ossmann, the hardware wizard behind  the Ubertooth has a new SDR project, HackRF, on Kickstarter.  For Pen-testers and attackers it’s set to be a radio gold mine, described as “a single software radio platform (that) can be used to implement virtually any wireless technology (Bluetooth, ZigBee, cellular technologies, FM radio, etc.).”

”The HackRF module has a frequency range from 30MHz to 6GHz natively and can be made to operate in even lower frequency ranges with an up-converter.  However, the design range is more than sufficient to cover most RF communications.  For $300 attackers (and researchers) will be able to extend their range of mischief.

The post Software Defined Radio: A Hacker’s Dream appeared first on Security Current.

Contactless card transactions are becoming increasingly popular in the United States, Europe and Asia. In the United Kingdom alone there are some 34.5 million cards in issue with contactless functionality according the UK Cards Association.

With contactless payments no signatures or PINs are required for authorization.  This makes transactions under approximately $35 dollars quick, occurring in less than a second. It not only spurs, according to the system’s advocates, spending it also improves customer service.

However, there is a growing concern about the security risks and apparently it is justified.

Researchers from the Department of Computing, and Center for Communications Systems Research, both at the UK’s University of Surrey, published a paper detailing an eavesdropping attack on contactless payment transactions that employ Near-Field Communications (NFC) systems. Adopted already by big players in electronic payments such as Capital One, VISA, MasterCard and Google have NFC chips and there is a growing push to use them for point of sale transactions.

Published in the Journal of Engineering last month and found in the IET Digital Library, the researchers discovered that  despite the belief that a distance limitation of about 5cm or just under 2” provided protection this was not the case. The researchers documented that they could reliably eavesdrop on all transactions at 40cm, or around 15,” with successful results at up to 90cm or 35.4 inches.

The research was conducted using readily available off-the-shelf hardware with the most expensive component costing about 1500 British Pounds.  They posit that cheaper equipment could be custom-built by attackers and hidden in backpacks or other innocuous places making attacks easier to carry out.

The post Can’t Touch This? Researchers Successfully Eavesdrop on Contactless Cards appeared first on Security Current.

Firmware attacks are growing increasingly popular among software hackers. Despite efforts to issue patches for firmware, reported attacks are on the uptick.

For instance, Ruben Santamarta, a security researcher at IOActive, recently posted a blog in which he describes how he directed the firmware of a counterfeit money detector to force the system to literally accept any piece of paper as legitimate currency.

This follows Jeroen Domburg’s research article about tampering with firmware earlier this year. Domburg wrote a step-by-step article about reverse engineering enough of a Western Digital hard drive’s firmware to successfully inject a Trojan onto the hard drive. The Trojan allowed root access to a system where the drive was installed. The article reveals the process.

Furthermore, there are rumors of Trojans in BIOS and device firmware in Lenovo systems. While the claims may or may not be true, they are worrisome in principle for any part of the IT supply chain. For example, five years ago the U.S. government was worried about the possibility of counterfeit Cisco routers in the government supply chain.

I can’t think of anywhere I’ve worked, consulted or visited where they have a process in place that would catch any of these attack techniques. In terms of the bank note validation, a simple procedure to test the system with legitimate and illegitimate bills and paper would suffice to catch the first iteration of this type of attack. The drive firmware is much more worrying, especially in terms of things such as the forensics processes used to deal with evidence of a crime.

With off-the-shelf micro-controllers and the techniques and tools for reverse engineering becoming cheaper and more readily available, the old “obscurity cloak” is no longer effective against even a hobbyist sitting in Starbucks with their laptop and a handful of tools.

Because firmware as a vector is becoming increasingly popular, we need to look at both validating the firmware of deployed systems (SCADA and non-SCADA) as well as designing systems where that validation is easy and repeatable.

The post Firmware Attacks on the Uptick appeared first on Security Current.

MIT researchers have produced a new paper that uncovers security flaws in C and C++ software, generated by compiler optimizations that discard ambiguous code or code, which produce undefined behavior.

Some of that code includes security-relevant checks and the paper includes examples of null pointer checks and pointer overflow checks that the GCC compiler optimizes away, leaving the resulting object code exploitable.

More complex ambiguous code includes things like bit shift operations that operate one way on x86 and operate another way on different architectures such as ARM.

The MIT team produced a new static source code checker named STACK that identifies such code, which they term “undefined behavior” and “unstable code.”

The researchers identified 32 bugs inside the Linux kernel, five in the Python programming language and nine in the Posgres DBMS.  More worryingly, the team ran Stack against the Debian Linux archive, of which 8575 out of 17432 packages contained C/C++ code.  For a whopping 3471 packages, STACK detected at least one instance of unstable code.

The research paper can be found at: http://pdos.csail.mit.edu/~xi/papers/stack-sosp13.pdf

The post MIT Researchers Uncover Security Flaws in C and C++ Software appeared first on Security Current.

November 2, 2013 is the 25th anniversary of the Morris Worm. In the intervening years, we have not solved the problems of buffer overflows, reusable single-factor credentials, peer-to-peer trust or password reuse.

What then have we learned from this incident?

1. Access to some files should be restricted.

No more world-readable password files. Shadow files in Unix and Unix-like OS’s and restricted access to the SAM in Windows, however password stealing and cracking are still big in the attacker community, so we never really solved the problem.

2. Sharing malicious code analysis and samples with trusted peers is a good thing[tm.]

When big malicious code events happen, the usual defenders will share their analysis. This helps them to bring mitigations to bear sooner, and it’s a good thing. As we see more and more custom malicious code though, will this process be extended downwards, or will we simply see less cooperation on the side of the defense?

3. Logs are useful for responding to incidents.

Log retention and analysis still is a mostly post-incident activity for most organizations. Many forward-thinking organizations are doing real-time or near-real-time analysis and Log-Based Intrusion Detection Systems (LIDS) have evolved to provide primary incident response initiation data.

4. Homogenous systems are prone to mass infection.

No matter if it’s homogenous services, or homogenous operating systems, if there’s a vector for compromise that’s common, then its exploitation will affect all of those things in your organization and any organization you share an exploitation vector with.

5. Systems not developed with security in mind are open to attack.

Sure, it’s blindingly obvious but even though we have a fair number of “secure” systems available today, the administrative overhead of enabling security features tends to make the advice “disable $security_feature” the first step of deployment for any complex package on many of those systems, such as Linux distributions which enable SELinux by default.

I think it’s safe to say that though we may have learned many lessons from the Morris Worm in 1986, we haven’t systematically applied any real long-term solutions to the problems it uncovered.

======
Source material
http://www.thehackademy.net/madchat/vxdevl/avtech/A%20Tour%20of%20the%20Worm.pdf
http://spaf.cerias.purdue.edu/tech-reps/823.pdf
http://www.snowplow.org/tom/worm/lessons.html

The post Wormiversary! appeared first on Security Current.