Getting Hacked at Defcon

LAS VEGAS--All these years I’ve outsmarted the Defcon hackers with one simple rule: Carry no computer into the Defcon melee.  Just a pen and paper to record to notate events is all that's needed—which are kinda hard to hack unless the notes are wrestled away or lost (which has been known to happen after too many Vegas parties).

But this was my first year with my new iPhone, and boy, was I reminded about how much of a computer these smart phones have become.

It happened after I went on the air with a local Las Vegas radio station on a show called “The Usual Suspects.”

The broadcast was being hosted live from a skybox looking down over the Defcon gaming area. Host SMAction (Scott Miller), GiD (no real name available) and R0d3nt (Andrew Strutt) asked about my impressions of Black Hat (see previous blog), government pay for hacking talent, and so on. And I asked whether or not they should be cleaning the microphone between uses. (They put the mic right up to your lips, man).

Once downstairs in the gaming area, two of my pals (one from Air Force, one formerly Army and Homeland Security) asked if my iPhone was sending a wireless signal. Bluetooth was off. Accept no new networks was on (so no network could connect to my phone without me requesting the connection). But I hadn’t thought about how the iPhone is always looking for a wireless signal to connect to the Internet.

We turned Wi-Fi off, no harm done. But after leaving my friends and heading toward the Hacker Jeopardy game, a gray highlighted message appeared on my iPhone screen that read, “Do you want to know your location? Yes  Cancel.”

Clicking cancel just made the message come back. Like a DoS (denial of service), it kept interrupting important texts with my friends. (“Where’s the parties?” “Delchi mixing, Top of the Riv [short for Riviera, the hotel venue for Defcon].” “What are u doing?” “303 party in Skybox!” “Where r you now?”)

For help, I stopped three Defcon Goons in the hall and showed them the message that kept looping. Goons are the big hacker guys in red t-shirts with radios and other gear who make sure some order is followed (for example preventing stampedes and throwing out Dateline reporters who appear undercover  after being warned ahead of time about Defcon media rules). 

The three Goons determined the DoS to be a direct attack on the phone’s GPS (global positioning system used for getting maps), which was also sending out a signal.  Once they clicked that off, the messages stopped. Thanks, Goons.

The experience has forever embedded in me that phones really are computers. And they’re promiscuous at that—constantly reaching out to other networks and devices hoping to connect.

Phones aren’t all that is reaching out. So, too, are the chips and magnetic stripes on passports, driver’s licenses and banking/credit cards. So now I am shopping for a wallet that blocks RFID readers from doing passby downloads off all the cards I carry with me.

At least at the conference, the hacks are done for sport, no identities are really stolen, and when user passwords to phones and such are caught, they’re pasted up on the Defcon wall of shame in a way that will not overly-expose the victims. Only part of a user name and password captured by hackers appears on the wall of shame (the rest is xxxd out). So the wall posts just enough for the victim to know it was his/her password and username that was intercepted, but not enough for anyone to use the data to gain access.

Looking forward to next year, hackers. Hopefully by then I’ll be more prepared.

 

Black Hat 2009: Nothing’s Safe

LAS VEGAS—For years hackers have been telling us that everything in the digital world is already owned. “No, everything,” is part of a logo for the Smoo Group, for example. But there’s always been small comfort that some technologies are too difficult for hackers to break and therefore safer to use.

The MacIntosh operating system, our carrier-bound wireless phones (in the U.S. anyway), virtual machine-to-host system connections, and sub-layers in the physical hardware are examples of technologies in which I’ve had some level of faith in the past. Not anymore.

In the third and fourth-floor ballrooms at Caesar’s Palace, all of these technologies were shown to be broken during Black Hat 2009 in Las Vegas this week.

All research demonstrated at Black Hat was done so responsibly—specific vulnerabilities have been patched by the technology vendors who where alerted to the problems by the researchers presenting at Black Hat this year. Nevertheless, these harbingers have stripped away any delusion that there is a single technology we could consider “safe” from attacks and abuse.

Imagine, if you will, rampant phishing directly off wireless devices, and the carrier is powerless to protect because the attacks being conducted are invisible to the carrier. This is entirely possible by tricking SMS into buffer overflowing a place in memory to accept remote commands, as demoed on the iPhone by Charlie Miller and Collin Mulliner.

“You’re phone is your most ‘personal’ personal computer,” said John Hering in a followup session. Hering sat on a panel that essentially described how to use similar techniques in the iPhone hack to look for these bugs in all smart phones.  The tool they developed is called Fuzzit.

Work like this is taking place ahead of the crime wave that will ultimately follow as more zero day vulnerabilities are discovered by the real criminals that are not part of the ethical research community at Black Hat. 

Ahead of the curve research like this offers some comfort. So, too, does the unprecedented cooperation between vendors and researchers this year—a far cry from the Cisco/ISS gaffe against researcher Michael Lynn in 2005.

Still, there’s so much work to be done it’s overwhelming, which was particularly evident during the panel on Washington, in which government, security and privacy experts couldn’t agree on who should handle the cyber security problem or how it should be handled. But it was clear to all that today’s Band Aid solutions to each individual problem will only hold up so long.

Ultimately, this begs the question that was asked more than once at Black Hat: Should we tear up the Internet as we know it and rebuild a backbone structure that starts with security first? Or should we hope that the current model of playing Whack a Mole with patches and standards holds up for our future generations?  

Harassment is Harasment

It looks like a beast of a woman who dressed up as a boy on MySpace to harass a 13-year-old into committing suicide is getting away with it. 

Why? 

Because monster woman conducted her harassment on the Internet and the justice system couldn't find a law that applied.

My question has been and always will be "Why do we need a different law because it happened in cyberspace?"

This is a case of harassment. Why not just charge that monster mother for harassment of a child? A child died directly because of that harassment. 

Why do we get hung up on the technology over which the harassment was conducted? 

As a mother, this case sickens me more ways than one. It turns my stomach that a girl died young, alone and utterly distraught, and worse that there will be no justice. It sickens me further because throughout the public ordeal, monster mom has shown no remorse.

Makes you wonder if she, the spoiled brat daughter she was 'protecting,' or others reading about this injustice will repeat such evil.

RSA: Final Thoughts

SAN FRANCISCO—Attendance was down enough to dull what’s usually a loud roar to a low buzz in the cavernous expo hall at the RSA Security Conference last week. Yet, examples of innovation and security maturation were still in abundance. In particular, there was a lot of standards-based innovation around authentication, managing peoples’ online identities, encryption and data management.

“What the market is moving toward is end-to-end trust, both preventive and reactive,” said Scott Charney, Microsoft’s corporate VP of Trustworthy Computing, during a Tuesday morning keynote. “This includes root trust in the hardware store, and trust of the people requesting access, and protection of personal and confidential data.”

Vista includes full volume encryption with Trusted Bit Locker based on the Trusted Platform Module (chip security) framework, and has a browser application to accept only digitally signed data. For Windows 7, Microsoft has partnered with EMC/RSA for technology to create secure, peer-to-peer IPV6 log-in sessions using IPsec (Internet Protocol Security).

In another project, code-named ‘Sterling,’ Microsoft is developing an API for third parties to create an “identity meta system” akin to how birth certificates are used in the real world, according to Charney. (As I blogged previously, some security vendors are even looking at becoming the overall vetting service for online identities, akin to what Verisign does with digital certificates.)

There was also a lot of development around OATH (Initiative for Open Authentication), an open standard for two-factor authentication, which is happening on cards, tokens and phones, says Don Malloy, business developer manager at NagraID and marketing chair for OATH. 

Integration between applications and network security was also announced by security lifecycle management startup, Tufin Technologies, which released TOP (Tufin Open Platform) open APIs for developers. Already it partners with F5 and Blue Coat for policy management, and is deeply integrated with Check Point, Juniper, Cisco and Fortinet.

Also at the application level, another leap in database security appears to have happened, with database security vendor Secerno going beyond the external database firewall model we’re seeing today to include access controls, encryption management, and filtering at the database kernel level.

Improvements in Web and cloud application security are also beginning to emerge that go beyond the traditional Web application firewalls. Mykonos, at a classy reception atop the Sir Francis Drake Hotel, launched a secure end to end framework for Ajax application developers. It includes encryption, digital signatures, logging, and auditing against SQL injections, session hijacking and other common problems associated with Web applications.

Particularly during this economic downturn, this type of unsexy, low-level, standards-based development is exactly what the industry needs in order to emerge from the recession prepared for customer demands, says Tom Corn, VP of marketing for RSA.

“We’ve got to stop playing Whack-a-Mole with all these new security issues and solutions that come up,” he says. “We need to decouple authentication from individual applications to enforce policies that span identities, infrastructure and information controls.”

RSA First Impressions: Virtualization and Identity Innovations

SAN FRANCISCO—Virtualization as a security mechanism, starting with virtual vaulted machines for different levels of use, is one idea to come out of Symantec’s innovator’s meeting today at RSA.

In this model, there would be the primary VM the same as most computers today; least secure “playground” (players, peer to peer, etc.)” and super securest, preconfigured with minimal applications (o/s, browser) for use during the HTTPS session.  All this would roll over flawlessly without user notice … in fact they had to put up funny little icons to show when they were switching between Virtual Machines during the demonstration.

This is a backward take on what I’ve been thinking about security as a virtualization device in that it can hide the security software beneath the O/S and therefore not get rootkitted. They have plans to go there, too, but they started first with the virtual desktop piece.

I’m not thoroughly satisfied with their answer to my question on upkeep (patching, configuration) for the three machines: Their answer is the master is still controlled like they would a single physical machine with their auto updates turned on, etc. The necessary updates will hit them all where they apply, but somehow Symantec will have to ensure that the uber secure machine, at least, is continuously configured securely.

Symantec also had this idea of identity layer that would require a middleman to vet identities for uber secure accounts and later for the masses once we get all the standards, vendors and new layer of middlemen sorted out.  Symantec says customers are begging them to manage their identities.   In this model, Symantec would act like the master Verisign type service only deeper. But how is this different than the vetting type ID services in action today?

Think about dating sites, says Brian Hernacki, Symantec Architect. Serious customers would pay extra for a stamp or a star saying they’ve been vetted enough to know they’re not making things up.  So they’ll pay extra to be snooped upon?  Now that’s a turn of events.

Help! I'm Stuck in London and I've Been Robbed!

The scam got one of my daughter's college friends to send $300 to a total stranger in London. How? 

First the scammers somehow hijacked her Facebook account, then sent an urgent message to all her Facebook Friends. The message said she'd been robbed in London, had no money or passport and to please wire money. My daughter's sweetest of friends sent the money without question, which is what the scammers want. They want to elicit such a strong emotion that the recipient acts first, asks questions later.

Question are what I started asking after my daughter contacted me about the scam. An FBI spokesperson said they've recently received multiple complaints reporting their Facebook accounts and other e-mail accounts were being hijacked and mails sent to all the addresses in their email lists with the same or similar message.

Although it sounds suspiciously like a Facebook problem, a spokesperson from Facebook told me that this was a manual attack, these accounts are getting picked off one at a time. He also said that the accounts were likely taken over by someone who got their passwords somewhere else - most often through another online account  using the same email and password. This makes sense to some degree, as my daughter said she did have a problem with her Paypal account about a month earlier in which Paypal alerted her that her account had been "accessed by a third party."  And she used the same password and email address for both accounts.

But why, all of a sudden, this rash of these scams over Facebook specifically? I still hazard it might be a Facebook problem. 

But it's also just as likely that accounts were accessed through another hacked account, for example from a hacked Paypal account to a Facebook account. To me, that means that there is a secondary market for stolen credentials. In the primary market, financial information is phished and derived directly from compromised accounts. When the activity caught and the account closed, they then peddle the credentials off to somewhere labor is cheap. In this secondary market, they scour around for Facebook and email accounts that are used by the same people, test the credentials, and viola! they're in.

It's making my head spin.  

Bottom line is DON'T FALL for these scams. Second, if you use the same password for multiple accounts, you might want to rethink that. Or at the least, change passwords to all accounts using that password should one go awry.

Help for the Check Scammed

Just found a good site for help with fake check frauds. Created by the nonprofit National Consumers League (NCL), Fakechecks.org includes fraud tests for work at home, foreign business, overpayment, lottery/sweepstakes, rental and suitor offers. Pretty basic questions, like would a legit company ever offer a stranger a job over the Internet? (Of course not.) But criminals are having a field day with today's economy wherein people are desperate for paying work. 

So for those 99.5%  finding this blog through searches for information on fake check scams, remember, there are multiple reasons you would be approached to cash checks from strange business offers: The criminals are laundering money; the criminals want your money from your bank account; and/or they want sell your bank accounts to others.

Holding computers hostage

in his January 29 Backspin column, Mark Gibbs wrote a cheeky narrative as told through the eyes of a Russian criminal. In so doing, Gibbs tells the story of how the criminal takes control of a computer and holds it for ransom. While his narrative is complete fiction, the story he tells is really happening. He writes:

In the three-ninth kingdom ("V tridevyátom tsárstve," which is like your "once upon a time"), my little friend got into Gibbs' computer ...
I have zero day exploit I purchase off my friend Yuri that it is better to remain my little secret (this cost me a hundred thousand credit cards, which was a lot but what I got from Heartland Credit Systems was much greater … )
Now my little friend is busy. He is sending me everything from Mr. Gibbs' hard drive. I could clean out Gibbs' bank account but what fun would that be? His bank would simply cover the loss. No, much better to just hold Gibbs' computer hostage. He is now seeing a pop-up that says the following: "My dear Mr. Gibbs, I could clean out your bank account. I could send porn to all your friends so it looks like you sent it. I could do anything I want. But this is your lucky day. You will have noticed by now that you cannot access your files. All I want you to do is pay me $10 a month and I will let you have access. ...

That pretty much sums up the reality of the criminal underground. So people, keep your security updated, your browsers up to date, and don't fall for any popup message saying your identity's been stolen or you need to repair or secure your computer. 

Who leaves $20K in a car trunk?

That's what happened Sunday at the New Vintage Church in a large, public parking lot at the Wells Fargo Center for the Arts in Santa Rosa, California, where the service was being held.

After I tipped her off to the theft yesterday, Randi Rossmann, of the Press Democrat, reported in today's paper that the Sheriff suspects the criminals were watching and ready when an usher put a manilla envelope containing an estimated $20,000 in cash and checks into the trunk of his car and returned to the service. During the service, the topic of which was moral fortitude, the thieves broke a car window and got into the trunk through the back seat. 

In my original blog about the incident on Monday, I wondered about the security ramifications of collecting offering from a service in a much-used public building. There is no safe there. And a locked room or car trunk isn't much deterrent. This should be a lesson to any charitable organization handling people's money: Criminals have no morals and they're always looking for the weakest link. 

The other, larger issue, is ID theft from those checks that contain account numbers, names, addresses, sometimes phone numbers and even driver's license numbers. All valuable data to steal accounts or create new identities. 

Yet, by Wednesday, the church had not announced to its congregation that those who wrote checks are at risk of account or identity theft--this was after I wrote them an email and called them to tell them that members need to protect their accounts. That's why I tipped the local newspaper.  (No thanks to Rossmann who left my quotes out of the story even after I gave her the story lead and copies of the church mailers.}

Today, the church issued a second email advising members to flag or cancel their accounts. The article in the Press Democrat also advised members to protect their identities. One last item though: The church still needs to put a notification on its Web site for those who aren't on the email list or who haven't read the paper.

Personal Checks In Stolen Church Offering

When the New Vintage Church in Santa Rosa, California, moved its Sunday service to the larger pastures of Santa Rosa's performing arts center on January 10, its entire offering was stolen.

More than 1,000 worshippers attended that service, according to a Santa Rosa Press Democrat story about the church to run that same Sunday. Any number of these 1,000 worshippers could have written checks, which the church’s e-mail advised its members to cancel.

What irks me is that the church sent out e-mails asking everyone to "re-contribute" and cancel their missing checks, send in cash again if they paid cash, etc. There was NOT ONE MENTION OF POTENTIAL FOR IDENTITY THEFT or what to do about it!

If members of the congregation put checks in the offering bags, they should do more than cancel their offering checks. They should also cancel their accounts and start new ones … Or, at the least, put an alert on their accounts.

After all, anyone who steals from a church has no compunctions about using the church members' checks to steal money and credit off those accounts. It’s reasonable to assume that the account and personal information on those checks is more valuable than the $1’s, $5’s, $10’s (and the rare $20) they’re likely to find in the offering bags.

In addition to offering identity protection advice to its constituents, this church’s leadership also needs to get more security savvy. (Holding church in a public performing arts center presents its own set of challenges.) And church ushers responsible for those offering bags had better undergo training.