This blog provides opportunities for students of RIT’s Cyber Self Defense classes to post their thoughts on information security topics of their choosing and to discuss those posts. If you’re in a class section using this blog, please read the requirements concerning posts and comments in your syllabus. If you’re visiting, welcome to the blog.
Remote Virtual Theft App
by Morgan Maroni
A new “visual malware” called PlaceRaider has been developed by a team at Indiana University and the U.S. Navy for use on smart phones.
Basically, it’s a trojan that runs in the background on Android phones that runs 2.3 or above, and is hidden in an app that gives it the necessary permissions to mute the shutter sound of the camera, and quietly take pictures about every 2 seconds, as well as uploading the the images to the attacker’s network. It can use the phone’s cameras, gyroscopes, and accelerometers, and also along with using time, location, and orientation data from the pictures themselves, to construct 3D models of rooms it takes pictures of.
If you look at this as an actual legitimate application, it does have some merits that some fields, like architecture, could use. I myself am imagining a somewhat creepy app that could take pictures of your room, and then, when you go and loose something, you could go through the pictures and models and find out where that thing sitting on your desk was last. Silly application uses aside, PlaceRaider was intended and developed as something attackers might use.
In a test, an office type room was set up, with papers and other personal items, like financial information lying around. They had PlaceRaider map out the room, and the people on the other end were able to use the 3D models successfully to find information throughout the room, including bar codes, bank account numbers, names, dates, etc. This is what is called “virtual theft” through remote reconnaissance.
The technology is far from threatening right now, but it is still interesting to think about just how much our smart phones could expose about us. Especially since so few people use anti-virus or anti-malware on their phones, the vulnerability is there.
Resources:
Wait…not China?
In an interesting turn off events America has seemingly become the target of Iran’s new cyber army. I guess this really just means China does not have to work as hard. Although, with all seriousness Iran is a force to be reckoned with. Ever since the Stuxnet virus Iran has rapidly developed their cyber power. With that said they have not reached the heights of many European countries or China and Japan, but as the director of Homeland Security Policy said “And what they lack in capability they more than make up for in intent.” This intent was enough to delay users of American Bank, Citi-bank, and JP Morgan and Chase co. Apparently, this was in response to western economic sanctions against Iran’s nuclear program. In these attacks users were only delayed use of the company’s websites but in another incident that Iran has been accused of instigating this was not the case.
Saudi Aramco was the target of a virus now known as Shamoon. The attack was well planned and included the use of insiders. This code of Shamoon itself was similar to flame with the most notable similarity being the erasing component of the virus. Shamoon was able to erase data on 75% of Aramco’s corporate computers and a burning American flag replaced all the data on these computers. Aramco hired security experts from Symantec and flew twelve American experts out whom when they landed already had a handle on how the virus worked. Despite the timely response of Aramco and Symantec the attack was devastating enough to become the world’s greatest example of cyber corporate espionage. This all occurred during Lailat al Qadr which is one of Islam’s holiest nights of the year.
In both cases hacking groups took responsibility for the results of these incidents. However, at least in case of the Aramco breach the level of sophistication required to pull off the attack was great. This seems to be what has many nations believing that the attacks which occurred may actually have originated in Iran. There are other motivating factors but what I want to know from my classmates is if they believe that Iran is behind these attacks or if this is sensationalized to sell papers?
These are the links I visited while writing this paper:
http://www.reuters.com/article/2012/09/23/iran-cyberattacks-denial-idUSL5E8KN19R20120923
http://www.huffingtonpost.com/2012/10/24/iran-cyber-attack-threat_n_2011014.html
Phishing with shortened .gov URLs
Recently, a phishing trick involving shortened .gov URLS has become popular in luring even savvy internet users. Email spam is the primary method for distributing short links, and the click rate has been significant, in just five days redirecting over 16,000 victims that fell for a link that appeared to be a CNBC news article talking about some “work from home” scheme, which everyone deep down inside knows is just a scam.
But the fact that the phishers are using several U.S. State government domains to model their malicious shortened URLs after, like Vertmont.gov or some tax service, even people with average intelligence can fall into their trap.
The .gov short URL service is run by the U.S. government, in partnership with bitly.com. It was designed to enable users to submit a long URL to bitly that resides on a .gov or .mil top-level domain. The goal of the service is to make it easier to verify the authenticity of a U.S. government site in a shortened URL. But vulnerabilities with software designed to give website developers the ability to configure a set of custom re-direct values creates an open-redirect vulnerability, which simplifies phishing attacks by bypassing protection mechanisms.
“Despite the best intentions, 1.usa.gov short links seem to be ineffective at ensuring the ultimate destinations of the URLs are trustworthy government websites.” -Jeff Jarmoc, Dell SecureWorks
Dell traced the IP destination of the malicious servers used in the attack to hosting services in Moscow and InMotion Hosting Inc., based in Los Angeles.
Hacking Medical Devices: When Will Hackers Go Too Far?
As we advance into the future, more and more medical devices are starting to go wireless. Patients are so far enjoying their new wireless technology because it allows them to be more mobile, rather than having to be tied down to the bed because of these medical machines. Also, it allows for “less invasive monitoring and treatment methods for common diseases has also improved patient mobility. Innovations have allowed at-home patient monitoring, minimizing patient trips to the hospital and saving valuable hospital space.”
This all seems well and good, but what people fail to realize that these machines are essentially computers, and can be hacked just like everything else. Barnaby Jack showed the ability to do this last February. For Jack’s example he hacked into the insulin pumps used by diabetics. With a wave of his antenna and a push of a button, Jack has the security credentials for the pump using a program that he wrote himself. His software then instructs the pump to slowly empty it’s insulin supply into the body which will most likely be fatal, especially if the patient doesn’t know until it’s too late. Currently insulin pumps and pacemakers are the two big wireless medical devices, but there are others as well.
Thankfully, no actual attack like this has ever happened on a patient in real life. However, that raises the question of when that will happen. All it takes is one mentally disturbed person with the right know how to execute this hack. Hackers have already caused physical pain to people before, when I hacking group filled the website Epilepsy Foundation with a bunch of epileptic flashing images, sending many into seizures. What’s even scarier is that there hasn’t been that much security put in place on these devices just yet. So far there has been a prototype firewall made by researchers at Purdue and Princeton… but that’s it. You have to wonder if it’ll actually take a person’s death before we see some regulation on these devices.
http://www.purdue.edu/newsroom/research/2012/120412RaghunathanHacking.html
http://www.medicaldevice-network.com/projects/wireless_revolution/
3G Flaw makes any device vulnerable to tracking.
A recent flaw discovered in 3G-enabled devices seems to allow the attacker to track anyone of these devices. Any devices would be vulnerable since the 3G system has this flaw hard-wired into its design.
The most shocking part of the exploit is described by the researchers who reported the issue: ”The attacker does not need to know any keys, nor perform any cryptographic operation… [These] kind of vulnerabilities usually look trivial once uncovered but often remain unnoticed for [a] long time, since they do not involve fancy cryptography but are caused by errors in the protocol logic,” So essentially anyone who want’s to sniff out a radio link, there really isn’t anything preventing them aside from the knowledge to perform such a task.
The 3G standard specifies that it should mask the user’s permanent identity from being revealed by providing user identity confidentiality, as well as regular updates to the 3G-enabled devices and making it impossible for a user to be traced even if the attacker was sniffing out the radio link.
The strangest part of the story is that this vulnerability was found in the past and patched, but it still can be circumvented easily, simply by spoofing an IMSI paging request (what a mobile network uses to locate a device and provide the necessary services to it), one specific device can be pinpointed accurately and the location found. Explained shortly by the researchers: ”The possibility of triggering a paging request for a specific IMSI allows an attacker to check a specific area for the presence of mobile stations of whom he knows the identity, and to correlate their IMSI and TMSI,” which really summarizes it nicely.
Another vulnerability lies in session keys that authenticate a device to the network. This is authenticated using a protocol called Authentication and Key Agreement (AKA). These keys can be identified by sniffing the AKA request and then sending that request to all devices within a certain area. All the devices except the target would return an authentication failure, which would identify the target device, which, again, would allow for tracking. So the error messages make it possible to track specific devices. The researchers tested the theories on a range of networks, but any network that follows the 3G protocol standard is technically vulnerable. While these attacks are possible, they can be easily mitigated with more aggressive cryptography tactics employed by the networks, but that remains to be determined if it is that big of a priority to be fixed.
Overall, 3G has somewhat significant exploits, but it remains to be seen if they are significant enough to get fixed quickly, and since many people are switching to 4G, if they even should.
Sources:
http://www.zdnet.com/3g-flaw-makes-any-device-vulnerable-to-tracking-7000005483/
TrueCaller and NumberBook
TrueCaller is an app that came out recently from the country of Sweden. NumberBook is another app that has the concept TrueCaller has. These apps all came out in 2012 in the past 6 months. Both apps are to allow the person to look up any person he or she is looking for or the opposite which they search by the person’s phone number and the app gives you the name of that person who is calling you.
How both apps work? And from where do these apps get the information?
The system these apps work is when you download the app on your device weather it was a smart phone or a PC, the software sync your contacts that you have in your device and publish them. Also, another point is that the app publishes your most common name in devices of people who have that app. For Example, if your name is “Faris” and your name is Ben in the contacts list of three of your friends, and your name is “Faris Almathami” in two of the contacts lists of your friends devices so your name in the app is gonna be “Faris”.
The topic of TrueCaller and NumberBook is not only a security as security people might think, but it’s also a huge privacy issue. I think your phone number is something you wouldn’t like to share with everyone, especially if you are the kind of an important or famous person. These apps seem to be completely legal but I think both apps break the privacy for too many people who don’t have the chance to not allowing other people to get their numbers or names by numbers.
I personally got an idea for people who want to change their names in these apps which is:
* Get about 10 different devices or more and make sure these devices don’t have any contacts in them.
* Save your number with a totally different name or just a weird one; for example, (Irvine’s boutique) or (In-n-out) or anything you think the person who is looking your number up would think is wierd.
* Save another contact that has your actual name, nickname or the name you think would save you as in their devices with a weird number like (1234567890) or just (1).
* Download both apps in all devices.
* Allow both apps to sync or save all contacts in all devices.
* Done – check.
http://www.haplessgeek.com/2012/09/analyzed-true-caller.html
Let’s Talk About Cyber War
“Speaking to a group of U.S. business leaders last week, Defense Secretary Leon E. Panetta issued a dire warning that foreign hackers are becoming increasingly sophisticated and that their online attacks on transportation systems, banks and other vital facilities are escalating.”
Based on the numerous blog articles that this class has presented on cyber security, I’m pretty sure we have proven this quote to be true. Certain cyber activists, like Defense Secretary Panetta, are again lobbying congress for a more defined structure on how to handle and protect the United States from what he calls a potential “cyber Pearl Harbor”.
The United States has become an increased target for foreign nation sponsored cyber attacks, and we’re pretty unprepared. In August, measure S.3414 was presented to the Senate. Measure S.3414′s basic goal was to, “… enhance the security and resiliency of the cyber and communications infrastructure of the United States.” This measure was unfortunately blocked by a Republican filibuster. Why it was blocked, I’m not going to get into (politics can be a dangerous zone to enter), but what is clear is that there is a need for a more defined government cyber defense policy.
This need has now materialized itself in a bipartisan House bill that only addresses the area of information sharing between targeted companies and the federal government. This new bill, H.R. 3523, is aimed to “… provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes.”
As the topic of cyber defense has reached a governmental level, it is becoming very clear time and time again that there is an apparent need to a centralized cyber defense measure. The fate of H.R. 3523 is not known yet, but time will tell if we as a country make the move to a more secure digital future.
Sources:
“Bug Bounty”
I found the article with makes hacking acceptable by Google, whom is actually inviting hackers to seek or find vulnerabilities in the Chrome browser. Google (GOOG, Fortune 500) first announced its “Chromium Security Rewards Program” in 2010. This program offers small monetary rewards to researchers (hackers) who found potential security holes in its Chrome Web browser. A teenage male who goes by the handle “Pinkie Pie,” has taken home Google’s money a multiple times. Google fixes the problems within 10 hours with software updates.
- In February 2012, sponsoring a “Pwnium” contest that sought “fully functional exploits” Pinkie Pie was one of two hackers to score a $60,000 prize at that event
- Pwnium (2) competition called “Hack in the Box”, held in Kuala Lumpur, Malaysia. This hack relied entirely on bugs within Chrome itself. Pinkie Pie again took home $60,000 for his fresh exploit.
Pinkie Pie never received a reply, but a Google rep told Wired at the time that they’d be taking a second look at his resume. At this rate, though, continuing to hack his potential employer might be a better gig than a full-time job.
http://money.cnn.com/2012/10/10/technology/security/google-chrome-hacker-prize/index.html
First Published: October 10, 2012: 6:28 PM ET
Unsecured Small Businesses
U.S. Small Business owners are greatly underestimating their cyber security. As 77% of small businesses believe that their company is safe from hackers, viruses, malware, and other cyber threats but 83% of them do not have an actual cyber-security plan in place. These surveys came in as a part of Cyber Security awareness month. The survey also comes in after learning that cyber-attacks against small businesses have already doubled for this year. There is a need for IT/security management at these smaller businesses. Unfortunately, many of the smaller businesses don’t believe spending money on cyber security is necessary but for the rather small poorly protected companies an attack could be disastrous.
Also, Sixty percent of small/medium businesses say they do not have a privacy policy that employees must comply with when they handle customer or employee information. Some of the small businesses are not only putting themselves in danger but also their customers. At least they are satisfied, about 86% are content with the security they provide or lack of security they provide. These businesses need to understand they cannot remain safe if they do not take the necessary precautions. Small Business must understand that there is a need for cyber security and they are better off spending the necessary money than playing the odds.
83% think they are doing enough to protect customers
70% do not have a policy for social media use
71% say their business is dependent on internet for day to day operations
66% have the business owner “operating” cyber security for their company
While only 9% have an actual IT employee
It looks like a good day to go phishing!
It’s funny how not to long ago, when someone heard the word ‘fishing’ they assumed you meant that you were going to a lake, stream, river, ocean, or pond and using a fishing pole and tackle to catch a fish. It’s shocking, I know. But nowadays the word ‘fishing’ or ‘phishing’ doesn’t always mean that anymore. It still has the same concept I suppose, but you’re not ‘phishing’ for the same thing anymore. Now you’re trying to ‘catch’ someone’s information rather than a fish. Anyways … now to the article!
On August 24, 2012 there were phishing attacks going around that targeted Blackberry users. It tried to fool them into opening an email on their windows machine and then it would launch malware that would take over the user’s computer. The attacker created an email that looked like it came from the Blackberry Company saying that “they have successfully created a Blackberry ID” and “to enjoy they full benefits of the Blackberry ID, please follow the instructions on the attached file.” Then if the user fell for it and open the attached file which is loaded with malware, then the user’s computer would be taken over. The Websense security lab said that the Blackberry related Campaign noticed this on Thursday but 17 out of the 36 vendors still have not done anything to fix it. Websense also said that they are seeing similar emails coming from hotels.
The article did not say how many people fell for this phishing attack or how much information was stolen if the user did open the attached file.
http://www.networkworld.com/news/2012/082412-blackberry-phishing-261917.html
