Just when you think you’ve got all the windows closed and doors locked on your IT security, a new and unexpected hole is revealed to get you started on that next ulcer — or at least that’s how it seems at times. Here are a couple of interesting hacks that take advantages of weaknesses you may have never thought of but hackers have …

WireLurker: Most iPhone and iPad users never get a second thought to malware on their devices. After all, Apple scrubs all the apps that go into their app store, right? And, if you’ve been good and haven’t jailbroken your device, that “walled garden” of security should protect you since there’s no way to instal apps, malicious or otherwise, from other sources, right? Not exactly. What if you download an infected program to your Mac that then passes malware to your iPhone when you connect it via USB? Meet WireLurker. Here’s a description from MacRumors.com:

Once installed, WireLurker can collect information from iOS devices like contacts and iMessages, and it’s able to request updates from attackers. It’s said to be under “active development” with an unclear “ultimate goal.”

Didn’t see that one coming? Try this one on for size…

Gyrophone: I’ve posted here before about the possibility of malware surreptitiously turning on the microphone (or camera, yikes!) on a mobile phone turning your trusty sidekick into an always on surveillance device. One of the protections against this sort of attack is that apps, even bad ones, typically need to ask for your permission in order to access the mic (or camera). Of course, if the malware is disguised as a benign program you might be willing to grant access but it turns out that you may not have to. Researchers at Stanford found that the gyroscopes in modern phones that help them know how the device is oriented in your hand. so that the screen can rotate accordingly, are so sensitive that they can pick up the vibrations of ambient sound. In other words, you talk, your phone vibrates, the built-in gyro registers the movement (ever so slight as it may be) and then a program could pick up on this and transmit what you are saying without your knowledge. But wouldn’t you have to grant access to the gyroscope to the malicious program? No, because designers apparently never anticipated this sort of use (abuse?) of that feature. Read more about it and watch a video here.

Hacked Hotel: I’ll leave you with one more bit of grist for the mill from an article in the South China Morning Post:

A San Francisco-based cybersecurity expert claims he has hacked and taken control of hundreds of highly automated rooms at a five-star Shenzhen hotel.

Jesus Molina was staying at the St Regis Shenzhen, which provides guests with an iPad and digital “butler” app to control features of the room including the thermostat, lights, and television.

Realising how vulnerable the system was, Molina wrote a piece of code spoofing the guest iPad so he could control the room from his laptop.

After some investigation, and three room changes, he discovered that the network addresses of each room and the devices within them were sequential, allowing him to write a script to potentially control every one of the hotel’s more than 250 rooms.

“Hotels are particularly bad when it comes to security,” Molina said. “[They’re] using all this new technology, which I think is great, but the problem is that the security architecture and security problems are way different than for residential buildings”.

This sort of Internet of Things technology is great. Unfortunately, so are the opportunities for abuse. Clearly, we in the IT Security industry have some work to do. In the meantime, break out the tin foil hats… :-)

For some, the mere fact that newer mobile phone models exist is reason enough to desire them. For others, the tried and true, trusty sidekick that has served them well (not to mention, that it took it 2 years to figure out how to use the thing) is more than adequate.

I confess to belonging to the first group because I love new technology. I also lean that direction because of my security roots.

As I mentioned in my previous post, old phones run old software and old software has old security bugs that haven’t been fixed.

In keeping with that theme, Graham Cluely recently wrote a thought provoking post entitled “If You Care About Security, Throw Away Your iPhone 4 Right Now.” OK, it’s a bit alarmist, but the underlying point is valid.

This isn’t picking on Apple because Android has the same issue. The point is that while newer doesn’t always mean better, when it comes to security you need to remember that …

Goldilocksold phone = unsupported = security bugs that won’t ever get fixed

Of course, the flip side of this is that …

new phone = not fully tested = new security bugs (that will, hopefully, one day get fixed)

Oh, and, by the way, the same holds true for operating systems, apps, etc.

So, what are you supposed to do? Balance is the key. Too old or too new is always going to be riskier than “just right.” I think Goldilocks said that in the sequel …

Unlike fine wine or cheese, old software doesn’t get better with age, it just starts to smell bad. Certainly it can “mature” as upgrades and patches are applied but if you simply “install it and forget it” then you could be setting yourself up for a world of trouble.

Recently Microsoft withdrew support for an old standby, Windows XP, and, as a result, pushed many to upgrade or face the risk of exposure to an increasing list of unpatched security vulnerabilities. Many grumbled about having to make the change but it was not unexpected. It costs vendors lots of money to support any operating system so it behooves them to support the fewest number they can or risk draining precious resources that could be spent developing newer versions with even better features demanded by the marketplace.

Windows XP is old in OS terms — nearly 13 years old, in fact. So, the end of the ride was inevitable, even if not fully appreciated by everyone.

But what about, say, Windows 95? It would be hard to feel a lot of sympathy for a user still running that moldy oldie if their system got hacked. After all, that was essentially 8 generations ago as a desktop OS. There are tons of security bugs that have been discovered in it since its introduction and, while most of been fixed, there are plenty that never will be since it was withdrawn from support a long time ago. Therefore, anyone still running Win95 isn’t likely to get a lot of sympathy given the known risks of doing so, right?

What about someone doing essentially the same thing on their mobile phone? Smart phones have very complex operating systems and we are finding more and more security holes in them every day. What would you say to someone still running the Win95 equivalent of Android? Good luck!

Well, it turns out that about 20% of Android devices world wide are essentially doing just that. That’s roughly what Android 2.x matches up to if you compare its generations to those of Windows. How many bugs do you think are sitting around on those aging handsets just waiting to be exploited? A lot more than their owners are aware of, I suspect.

To be fair, mobile OS generations have been rolling out faster than desktop OSs lately so the time lines won’t match up perfectly, but the truth is that there are a scary number of mobile devices that are wide open to attack because they are running old software.

Why not simply update the OS on these devices? Because, in many cases you can’t. Unlike the PC world where a single vendor (i.e. Microsoft) can push out a new OS when they like and users can update whenever they choose (for the most part), the Android world involves a sometimes unholy trinity of handset makers, Google (who makes the Android OS) and the carriers. If you want to update your phone you have to get the sun, moon and stars to align so that all three parties allow it and that has proven much harder and slower than most people would like. Since change is happening so rapidly in the mobile space, it is hard for old handsets to keep up with the demands of new OS versions plus handset makers have a stronger incentive to get you to upgrade than they do to keep you on an old device.

What all this adds up to is a lot of handsets with OS levels that have long since passed from stale to downright rotten and since hackers are drawn to vulnerable systems like ants to a picnic, it would not at all be unreasonable to expect a buggy mess as a result.

The Apple/iOS ecosystem is a little less complicated because you have only a two-headed monster (Apple and the carrier) to deal with. This results is fewer options for users but considerably less software rot.

More freedom/choice or more security? I actually use both but hope that whichever one you choose, you at least do so with your eyes wide open…

Toilet-My SATISSo, you thought IoT stood for “Internet of Things,” right? A reference to the instrumentation of all sorts of previously stand alone devices like refrigerators, washers, dryers, thermostats, implantable medical devices, cars, etc., in such a way as to make them accessible from via the Internet. Cool stuff … when it works. When it doesn’t? Not so much …

How about a high tech toilet that lets you use your Bluetooth enabled phone to as a remote control to:

  • raise and lower the seat
  • flush
  • turn on the bidet feature (for the uninitiated, this means a stream of water is sprayed at your private parts)
  • and who knows what else?

I guess it could be interesting if you really get bored in the bathroom but, even as someone who loves technology, I’m just not sure that this sort of confluence of water, electricity and sensitive body parts should be brought that close together, if you know what I mean.

What if said toilet had a security flaw that allowed essentially anyone within Bluetooth range (which is supposed to be about 10 meters but can be extended substantially if you know what you’re doing) to control all these functions remotely without your permission?

And what if robo-potty also kept records of all your, let’s say, “activity” for reasons I’m not sure I even want to know?

Well, that’s the case with the My SATIS “luxury” toilet, where it turns out that the Bluetooth code for all the devices is hardcoded as “0000” and can’t be changed, according to a report from the BBC. That means that anyone with an Android phone can download the app, connect to your porcelain convenience and have a grand ole time at your expense.

Take it all one step further and make it part of a “connected home” ecosystem, which, thankfully, hasn’t been done yet and you could imagine the range for these attacks going global.

Brave new world? I certainly hope not …

Recycling great, except for when it isn’t. To see what I mean, take a look at my post on securityintelligence.com.

It’s all about speed these days — quicker deployment, shorter time to value, instant gratification. Historically, though, one of the friction points in IT has been the invisible wall between Development, who writes the code, and Operations, who supports the real world implementation. DevOps is concerned with knocking down that wall and greasing the skids, as it were, in order to achieve a more agile and responsive software development and deployment cycle.

But what is sacrificed in the process? What risks are introduced by this amped up mode of operation?

If you aren’t careful, the answer is security.

So, some of my colleagues and I put together a brief overview on the Security considerations for DevOps adoption which was just published over on the IBM developerWorks web site. In the paper we discuss some of the issues that need to remain top of mind so that you can still realize the benefits of DevOps without killing security in the process.

By now one would hope that the worst of the Heartbleed crisis is behind us. All the servers should be patched, new certificates generated and passwords changed, right? The answers are: probably, hopefully and unlikely, respectively. Compromised passwords are still floating around in the ether so if you haven’t fixed them, do so.

But what about the next Heartbleed? One thing that is about as sure as death and taxes is that there will be another massive vulnerability that will, no doubt, expose millions of user accounts. So, do we just sit tight and wait for the oncoming storm or is there a preemptive strike you can make now to less the likelihood it will impact you in a big way?

I think there is and it’s the subject of my recent post to the IBM Security Intelligence blog. Take a read through it and stay safe.