key-470345_1280Increasingly, we are living more and more of our lives online. What used to be in person interactions are more likely to be virtual. Rather than going to the bank, you can deposit a check by taking a picture of it with your mobile phone (along with some magic from a specially-designed mobile app from the bank). Make investments from your browser. Speak with a doctor via video conference for a virtual office visit from the comfort of your own home rather than spending the morning in a waiting room full of other sick people sharing their germs. Buy that hot new gadget online and have it show up at your door a few days later.

Great stuff — and it all relies on a system of trust for verifying identities of the various parties based typically on our ability to enter a presumably “secret” password that no one else knows when prompted.

But what if you aren’t the only one who knows your password? You didn’t tell anyone what it was (please, tell me you didn’t!) and you didn’t write it down where others could read it (I know you’re smarter than that, right?). Instead, you stored it in an encrypted software password vault of some sort and gave yourself a pat on the back for this technical accomplishment.

Great! That’s what you should do. However …

… no system is perfect and that includes encrypted password stores. If you use a Mac, Keychain is a convenient choice. It makes things easier still if you have multiple Apple devices by synchronizing passwords via iCloud so that your iPhone and iPad get updated when you change a password on your MacBook.

Or you could use LastPass or 1Password, which provide similar functions across Apple and non-Apple platforms like Windows and Android. There are plenty of other similar choices too but let’s keep this discussion simple and just look at these.

Well, guess what? In the past week, stories have come to the forefront that all of these solutions are vulnerable to attack.

  • Glen Fleishman of MacWorld.com does a nice job of explaining the technical details of the LastPass hack and the protections in place to deal with the risk in this article.
  • Glen also covers the latest vulnerability disclosure in OS X and iOS that expose Keychain to hacking in this article.
  • 1Password makers tried to reassure their users in this blog post.

None of these revelations should come as a surprise. OK, so maybe you didn’t know the specifics but the point is any operational system is vulnerable. The goal should not be to eliminate all risk (although, that would be nice), but rather, to bring risks down to an acceptable level by mitigating the ones we can and avoiding or accepting the ones we can’t.

Quoting from the 1Password blog:

There is a saying […] “Once an attacker has broken into your computer […], it is no longer your computer.” So in principle, there is nothing that 1Password can do to protect you if your computer is compromised.

Very true. The lesson here is not that we shouldn’t use password managers. The alternative is worse. The lesson is that none of these systems are sufficient to keep everything secure. That means you have to protect your system from malware by:

  • not installing software from questionable sources
  • not clicking on attachments that you aren’t expecting
  • not using trivial passwords
  • not neglecting to install patches both to the operating system and apps
  • not storing passwords in the cloud but, instead, syncing across devices via a wired or secured wifi connection

Also, choose to set up 2-factor or 2-step authentication on the systems that support it. These typically involve sending you a text message with a seemingly random number that only you will know if you have pre-registered your phone and keep it in your possession (and free from malware too). These systems aren’t perfect either, but they make the job of cracking your castle harder for the bad guys and that’s a good thing for you and your online kingdom.

jc-blog-iphoneSecurity professionals have been begging people to secure their mobile devices with a strong passcode for years. Yes, it’s a pain to have to type in all those characters on a tiny keyboard but the alternative is that anyone who can put their hands on your phone could read all your emails, texts, pics, view phone history, see everywhere you’ve gone and install malware that will keep track of all of this remotely (plus turn on your mic to listen on your conversations even when you aren’t making a call — ditto with the camera).

Maybe your life is an open book and you don’t care about privacy. Surely you care about your bank account, your reputation and your company’s confidential information, which, if not protected, could, at minimum, cost you your job (if not bankrupt the organization). Yes, a bad guy could use your phone’s mobile banking app to raid your funds or satisfy the second factor login requirement your financial institution’s web site requires for users of a web browser (assuming you bothered to set up those protections).

Many think, “OK, I’ll do a 4-digit PIN and that will be enough, right?” On the surface it sounds like a reasonable compromise. It’s not as inconvenient as an 8-character, alphanumeric passcode, but it still would mean that a hacker would have to try, on average, 5,000 different numeric combinations (half the total of 10,000 possibilities since the odds would be 50-50 of a correct guess at that point) to break in and who has that kind of time? Better still, the reasoning goes, “I’ve turned on that setting that automatically wipes the device after 10 incorrect tries, so the bad guy would have to be incredibly lucky to guess the right sequence that quickly.”

As the saying goes, “there’s nothing more dangerous than presumed security.

What is being assumed, in this case, is that someone won’t come along and build a box that could automate the process of entering all those possible PINs and, here’s the kicker, disconnect the power supply on the device before it has a chance to wipe the phone’s storage after an incorrect guess. In other words, unlimited tries with no penalty. And what if the process of trying all 10,000 combinations could be done in roughly 4.5 days (bearing in mind that this is the worst case for the bad guy and the best case could be just a few seconds)? And what if this box only cost about $300?

IMG_1602What this means is that anyone who steals your phone (or just has access to it for some reasonable period of time, such as while you are asleep) could do all the nasty stuff described above to your bank account, company, Twitter feed, emails, photos and so forth. Well, that scenario exists.

So, while it may be a royal pain to enter that complex, 8 character passcode, it is, unfortunately, necessary. As an alternative, if you have one of the newer iPhones, you could simplify things with a fingerprint scan using the built-in Touch ID sensor. No, it isn’t perfect either. Nothing in security ever is, but it
could be a better trade off than the venerable but broken, 4-digit PIN.

Screen Shot 2015-02-05 at 2.16.49 PMIn 2013 I did a presentation on social media threats at the OOP (Object Oriented Programming) conference in Munich. (You can see my presentation here.)

Well, the folks that ran the conference were nice enough to invite me back for this year’s event where I did a talk entitled “The Data Center in Your Pocket: Securing Mobile Devices.”

There’s logo_biggerno video this time around but I did do an interview for InfoQ.com on the general topic of mobile security, which you can find here, in case you’re interested.

You are driving down the road minding your own business on a brisk winter day when suddenly the stereo starts blaring unrecognizable music, the air conditioner begins blasting cold air, the onboard navigation system changes course, the headlights start flashing, the engine turns off, killing the power steering and braking systems making a controlled stop difficult, if not impossible. Oh, and the same thing just happened to every other car on the road around you at the very same time.

Got your attention?

That scenario, though implausible today, is not impossible in the not too distant future. The Internet of Things (IoT) movement to turn everything we use into computers has already taken hold in the automotive industry. Cool new features that let you remotely lock and unlock and start your car are becoming more common. That’s great news for both the good folks who enjoy this infusion of technology into more and more parts of their lives and it’s great news for the bad guys who would like to exploit the darker sider of these advancements.

The point is that if you can control all these systems on your car wirelessly, the potential exists for a hacker to do the same.

While the doomsday scenario outlined previously is still a bit far fetched, it may not be as unlikely as you might think as we are already starting to see proof of concept attacks and other vulnerabilities emerge. Here are a few examples:

  • Reuters reported that BMW recently patched a bug that left over 2 million Rolls-Royce, Mini and BMW cars open to having their doors unlocked by attackers. According to the article, the vulnerable software allowed drivers to:

    activate door locking mechanisms, as well as a range of other services including real-time traffic information, online entertainment and air conditioning.

    Apparently the communications between the car and the controller weren’t encrypted so an attacker could trick the car into listening to unauthorized commands. The problem is supposed to be fixed now but one has to wonder why it just now occurred to the powers that be that authenticating the source of the commands might be an important feature.

  • The Register reported that:

    Zhejiang University students have hacked the Tesla Model S with an attack that enabled them to open its doors and sun roof, switch on the headlights and sound the horn – all while the car was driving along.”

  • And there’s this from ARS Technica:

    papers published in 2010 and 2011, on-board components such as CD players, Bluetooth for hands-free calls, and “telematics” units for OnStar and similar road-side services make it possible for an attacker to remotely execute malicious code.
    The research is still in its infancy, but its implications are unsettling. Trick a driver into loading the wrong CD or connecting the Bluetooth to the wrong handset, and it’s theoretically possible to install malicious code on one of the ECUs. Since the ECUs communicate with one another using little or no authentication, there’s no telling how far the hack could extend.”

  • And if you’d like to see a proof of concept take a look at this video which shows a car’s horn, steering and brakes being controlled by a backseat driver.

Before you throw away your keys and go horse shopping bear in mind that most cars on the road lack these sort of remote control capabilities in the first place but that is changing. The hope here is that the auto makers will learn from these early mistakes and make safer vehicles in the future. The likelihood is that we will hear about a lot more of these types of vulnerabilities before they do.

Now, who wants a self driving car?

You’ve just checked into your hotel and gotten situated in your room. All that time on the plane has left you feeling a bit out of touch so you head down to the business center to do a quick check of your email. You’re in luck — there’s a free workstation just waiting there for you. You log in to your account, read a few, respond to some, delete some spam, log off and head for the gym feeling that everything is now in order. But is it?

Turns out that the person using that same PC a few hours ago opened an attachment that contained malware that installed itself on the system and has been recording every keystroke entered ever since. Making matters worse, all those email responses, web site addresses, credit card numbers and logins have also been surreptitiously forwarded to someone on the other side the world who now has everything they need to take over your email, raid your bank account and run up charges on your credit card.

Krebs on Security has a good post on this threat along with a discussion of  some preventative measures your hotel could have taken to protect you. The problem is, as the author points out, all of them can potentially be circumvented.

Of course, you could enable all your accounts to use 2-factor (a.k.a. two step) authentication where a seemingly random set of numbers are texted to your phone that you then have to enter after entering your account name and password (and you should!), but most people don’t want to be bothered with this extra step and they are precisely the ones that the bad guys are counting on.

The bottom line is, if you don’t control the system you’re using (and you never do with a public terminal), you really have no idea who else might be listening in so you should consider that anything you type (including your password) is now public information.

The best thing you can do to avoid this scenario is simply to not use public workstations. It may be a pain to lug along your own laptop but it beats the alternative.

Just when you think you’ve got all the windows closed and doors locked on your IT security, a new and unexpected hole is revealed to get you started on that next ulcer — or at least that’s how it seems at times. Here are a couple of interesting hacks that take advantages of weaknesses you may have never thought of but hackers have …

WireLurker: Most iPhone and iPad users never get a second thought to malware on their devices. After all, Apple scrubs all the apps that go into their app store, right? And, if you’ve been good and haven’t jailbroken your device, that “walled garden” of security should protect you since there’s no way to instal apps, malicious or otherwise, from other sources, right? Not exactly. What if you download an infected program to your Mac that then passes malware to your iPhone when you connect it via USB? Meet WireLurker. Here’s a description from MacRumors.com:

Once installed, WireLurker can collect information from iOS devices like contacts and iMessages, and it’s able to request updates from attackers. It’s said to be under “active development” with an unclear “ultimate goal.”

Didn’t see that one coming? Try this one on for size…

Gyrophone: I’ve posted here before about the possibility of malware surreptitiously turning on the microphone (or camera, yikes!) on a mobile phone turning your trusty sidekick into an always on surveillance device. One of the protections against this sort of attack is that apps, even bad ones, typically need to ask for your permission in order to access the mic (or camera). Of course, if the malware is disguised as a benign program you might be willing to grant access but it turns out that you may not have to. Researchers at Stanford found that the gyroscopes in modern phones that help them know how the device is oriented in your hand. so that the screen can rotate accordingly, are so sensitive that they can pick up the vibrations of ambient sound. In other words, you talk, your phone vibrates, the built-in gyro registers the movement (ever so slight as it may be) and then a program could pick up on this and transmit what you are saying without your knowledge. But wouldn’t you have to grant access to the gyroscope to the malicious program? No, because designers apparently never anticipated this sort of use (abuse?) of that feature. Read more about it and watch a video here.

Hacked Hotel: I’ll leave you with one more bit of grist for the mill from an article in the South China Morning Post:

A San Francisco-based cybersecurity expert claims he has hacked and taken control of hundreds of highly automated rooms at a five-star Shenzhen hotel.

Jesus Molina was staying at the St Regis Shenzhen, which provides guests with an iPad and digital “butler” app to control features of the room including the thermostat, lights, and television.

Realising how vulnerable the system was, Molina wrote a piece of code spoofing the guest iPad so he could control the room from his laptop.

After some investigation, and three room changes, he discovered that the network addresses of each room and the devices within them were sequential, allowing him to write a script to potentially control every one of the hotel’s more than 250 rooms.

“Hotels are particularly bad when it comes to security,” Molina said. “[They’re] using all this new technology, which I think is great, but the problem is that the security architecture and security problems are way different than for residential buildings”.

This sort of Internet of Things technology is great. Unfortunately, so are the opportunities for abuse. Clearly, we in the IT Security industry have some work to do. In the meantime, break out the tin foil hats… :-)

For some, the mere fact that newer mobile phone models exist is reason enough to desire them. For others, the tried and true, trusty sidekick that has served them well (not to mention, that it took it 2 years to figure out how to use the thing) is more than adequate.

I confess to belonging to the first group because I love new technology. I also lean that direction because of my security roots.

As I mentioned in my previous post, old phones run old software and old software has old security bugs that haven’t been fixed.

In keeping with that theme, Graham Cluely recently wrote a thought provoking post entitled “If You Care About Security, Throw Away Your iPhone 4 Right Now.” OK, it’s a bit alarmist, but the underlying point is valid.

This isn’t picking on Apple because Android has the same issue. The point is that while newer doesn’t always mean better, when it comes to security you need to remember that …

Goldilocksold phone = unsupported = security bugs that won’t ever get fixed

Of course, the flip side of this is that …

new phone = not fully tested = new security bugs (that will, hopefully, one day get fixed)

Oh, and, by the way, the same holds true for operating systems, apps, etc.

So, what are you supposed to do? Balance is the key. Too old or too new is always going to be riskier than “just right.” I think Goldilocks said that in the sequel …