Tag: Security

Keeping Fitbit safe from hackers and cheaters with FitLock

Post author By Christopher Parsons
Post date May 2, 2013

As if having the caloric details of your sex life posted publicly wasnât enough, new research has exposed additional security vulnerabilities in the popular Fitbit fitness tracking devices.

The ability to hack these devices, at the outset, seems silly: who would bother?

But as more and more organizations provide these to employees, to individuals they insure, and so forth, the desire to ‘game the system’ will increase. The problem is less along the lines of ‘you can capture this data’ – though that is a privacy concern – and more along the lines of ‘how can I beat the system reliably to advantage myself’.

Tags Fitbit, Fitness Tracker, Insurance, Security

Aside Links

Twitter Now Has a Two-Step Solution

Post author By Christopher Parsons
Post date April 24, 2013

So, I use two factor authentication for a variety of services. It’s great for security.

It’s also a royal pain in the ass to be (re)inputting secondary authentication information all the time. That basic ‘pain point’ is sufficient to dissuade most people from setting it up. I support Twitter adopting this, and for some people it’ll be awesome. For most people it’ll just be a pain in the ass.

Tags Privacy, Security, Twitter

Aside Quotations

2013.4.11

Post author By Christopher Parsons
Post date April 11, 2013

CryptDB, a project out of MIT’s Computer Science and Artificial Intelligence Lab, (CSAIL) may be a solution for this problem. In theory, it would let you glean insights from your data without letting even your own personnel “see” that data at all, said Dr. Sam Madden, CSAIL director, on Friday.

“The goal is to run SQL on encrypted data, you don’t even allow your admin to decrypt any of that data and that’s important in cloud storage, Madden said at an SAP-sponsored event at Hack/reduce in Cambridge, Mass.
Barb Darrow, “You want to crunch top-secret data securely? CryptDB may be the app for that”

This is super interesting work that, if successful, could open a lot of sensitive data to mining. However, it needs to be extensively tested.

One thing that is baked into this product, however, is the assumption that large-scale data mining is good or appropriate. I’m not taking a position that it’s wrong, but note that there isn’t any discussion – that I can find – where journalists are thinking through whether such sensitive information should even be mined in the first place. We (seemingly) are foreclosing this basic and very important question and, in the process, eliding a whole series of important social and normative questions.

Tags Database, Encryption, Ethics, Norms, Privacy, Security

Writing

The DEA, iMessage, and the Broader Significance

Post author By Christopher Parsons
Post date April 6, 2013

It’s been widely reported that the DEA San Jose office is unable to conduct surveillance of Apple iMessages. The note is revealing in its very phrasing; the author(s) state that:

While it is impossible to intercept iMessages between two Apple devices, iMessages between an Apple device and a non-Apple device are transmitted as Short Message Service (SMS) messages and can sometimes be intercepted, depending on where the intercept is placed. The outcome seems to be more successful if the intercept is placed on the non-Apple device. (emphasis added)

Note that despite the ‘encryption’ the agent(s) recognize that they can sometimes intercept messages. Importantly they are ‘more successful’ when the intercept is on the non-Apple device. Their phrasing suggests one of the following:

Authorities are occasionally able to intercept messages between Apple devices; or
Authorities are occasionally able to intercept messages that are inbound to an Apple device that are sent from a non-Apple device.

Either situation is interesting, insofar as the former raises questions of the efficacy of Apple’s encryption process and the latter questions about where a tap is placed pre-encryption in the Apple network.

More broadly, however, the challenge facing the DEA is one that is already encountered by investigators around the world. In fact, the DEA is in a pretty envious position: most of the major ‘messaging’ companies have some degree of corporate presence in the US and can thus be easily served with a wiretap order. Sure, a host of orders might need to be issued (one to Apple, one to Facebook, one to Google, etc etc) but this is a possible course of action.

Officers outside of the US that want similar access to messages that flow outside of SMS channels experience a different reality. They tend to need a MLAT or other cross-national warrant might be needed. Such warrants are incredibly time consuming and, as a result, resource intensive. These kinds of pressures are, in part, responsible for the uptick in discussions around state agents serving malware to mobile and fixed computing systems: it just isn’t practical to ‘wiretap’ many of these communications anymore, on the basis that the companies running the services are beyond the authorities’ jurisdictions.

So, while encryption is (fortunately) becoming more and more common, this isn’t necessarily the ‘solution’ to third-parties intercepting communications. Indeed, all it means is that attackers (in this case, the state) are targeting the far softer domains of the communications infrastructure: everything around the encryption layer itself.

Tags Apple, DEA, Encryption, iMessage, Police, Security

Aside Links

New credit cards vulnerable to electronic pickpockets

Post author By Christopher Parsons
Post date March 27, 2013

Fortunately, only ‘advanced payment cards’ are currently affected by this. Well, and the BC Services Card once it’s in people’s hands and the chip has been activated.

Tags British Columbia, NFC, Paywave, Security

Links

Trojan can hijack smart cards, says researcher

Post author By Christopher Parsons
Post date March 25, 2013

Well, at least this technical threat isn’t a problem in Canada, where we aren’t moving towards advanced electronic identity cards meant to subsequently be accessed using personal computers to access sensitive data held by government services.

Oh. Wait. I forgot: we’re doing just that, aren’t we.

Tags British Columbia, Security, Smartcard, Trojan

Aside

Promotional video of the FinFisher surveillance malware

Post author By Christopher Parsons
Post date March 23, 2013

This promotional video of the FinFisher surveillance malware has some interesting components:

they are talking about older Blackberry devices – I’m curious to know if they already have a ‘solution’ for more contemporary devices;
the video speaks of infecting websites, which seems to suggest that an element of the FinFisher process is attacking unrelated website to then hunt targets. Crazy illegal in most jurisdictions I’m familiar with;
the company focuses on TrueCrypt, which confirms the position the TC is a pretty awesome way of securing things you want to remain confidential….so long as you’re not infected with surveillance malware.

Tags FinFisher, Hacking, Malware, Security, Surveillance

Links

FBI: Smart Meter Hacks Likely to Spread

Post author By Christopher Parsons
Post date March 20, 2013

Though a little over a year old, this post concerning the security of smartmeters is particularly valuable considering the rapid adoption of the technologies throughout Canada. Particularly pertinent:

Citing confidential sources, the FBI said it believes former employees of the meter manufacturer and employees of the utility were altering the meters in exchange for cash and training others to do so. “These individuals are charging $300 to $1,000 to reprogram residential meters, and about $3,000 to reprogram commercial meters,” the alert states.

The FBI believes that miscreants hacked into the smart meters using an optical converter device — such as an infrared light — connected to a laptop that allows the smart meter to communicate with the computer. After making that connection, the thieves changed the settings for recording power consumption using software that can be downloaded from the Internet.

“The optical converter used in this scheme can be obtained on the Internet for about $400,” the alert reads. “The optical port on each meter is intended to allow technicians to diagnose problems in the field. This method does not require removal, alteration, or disassembly of the meter, and leaves the meter physically intact.”

The bureau also said another method of attacking the meters involves placing a strong magnet on the devices, which causes it to stop measuring usage, while still providing electricity to the customer.

So, this suggests that insider threats and poor shielding enable significant fraud. Can’t say it’s surprising given how often these meters have been compromised when deployed in other jurisdictions.

Tags Electricity, FBI, Security, Smartgrid, Smartmeter, United States

Links

Internet Census 2012

Post author By Christopher Parsons
Post date March 19, 2013

yostivanich:

While playing around with the Nmap Scripting Engine (NSE) we discovered an amazing number of open embedded devices on the Internet. Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials. We used these devices to build a distributed port scanner to scan all IPv4 addresses. These scans include service probes for the most common ports, ICMP ping, reverse DNS and SYN scans. We analyzed some of the data to get an estimation of the IP address usage.

Super interesting research, though incredibly illegal and borderline ethical (at absolute best, and most charitable).

Tags Botnet, DNS, IPv4, Security

Quotations

2013.3.16

Post author By Christopher Parsons
Post date March 16, 2013

This is the problem. Against a sufficiently skilled, funded, and motivated adversary, no network is secure. Period. Attack is much easier than defense, and the reason we’ve been doing so well for so long is that most attackers are content to attack the most insecure networks and leave the rest alone.
Bruce Schneier, “Phishing Has Gotten Very Good”

Tags Phishing, Security