Late July 2016 roundup

Here are a few news stories that caught my interest lately. Maybe one of them will be good for a story.

Internet-connected cameras are a terrible idea

These devices seem like a great idea. You use one like a security camera, but it’s connected to the internet and has a web interface, so that you can log on to it from anywhere to download footage or pictures.

Unfortunately many devices like this don’t get much attention from the manufacturer after production. It turns out that lots of these cameras all have the same remotely-exploitable command injection vulnerability. So it’s not hard to use one or more of these cameras to perform distributed denial-of-service attacks on other targets. These cameras also have a common signature which makes them fairly easy to locate in things like the Shodan search engine.

A SANS infosec article about this points out that people install these devices on the same networks where they have servers hosting sensitive resources. So it’s not a stretch to imagine your main character using Shodan to find vulnerable cameras on a target network and using the cameras to attack the target’s web servers.

Turn your head and cough

Medical devices can have a similar problem. A hospital buys an X-ray machine, and it’s really expensive and mission-critical (it’s in the business of saving lives, after all), so no one wants to mess with it. The hospital just wants to install it and have it run perfectly forever.

But over time vulnerabilities creep in that neither the manufacturer nor the hospital wants to take the risk of patching, because who wants to stick a patient in an MRI machine only to find that the control system stopped working after running an update last night? As a result some of these medical devices are riddled with malware that crooks can use to attack riper targets. Does your character want to hack a hospital to get at patient data he can use for identity theft? It might not be that hard.

Grand theft auto

Here’s an article with video of someone using a laptop to steal a 2010 Jeep Wrangler. It’s not clear what the person is doing, but a policeman quoted in the article speculates that the thief used the laptop to persuade the car’s computer to recognize a key fob the thief had with him. It’s probably just a matter of time until that technique is possible with a phone. “There’s an app for that.”

And as if on cue, Fiat Chrysler is running a bug bounty to pay people to find and report security problems in cars’ computer systems.


Two-factor authentication

Many online services offer two-factor authentication (2fa) to protect users’ accounts. When you enable 2fa on an account, it means that you still log in with a username and password, but then you have to enter a one-time code before you can access your account. How you get the code (typically a six-digit number) depends on the implementation: twitter sends you the code in an SMS text message, while others (like google and facebook) have you look up the code in a mobile app. Either way, you generally get the code with your phone. The point of this is to make it harder for someone to break into your online account, because they’d have to know your password and have access to your phone.

So logging in with 2fa means taking an extra step which at times can feel like a nuisance. The way I look at it is that it’s a minor inconvenience for me, but it’s a significant inconvenience to someone who wants to steal my account.

2fa isn’t a new innovation. I knew someone in the late 1990s who worked for a government-funded research facility, and he carried around a little device in his pocket. When he needed to log in to one of the facility’s computers, he’d have to look at the code that appeared on the device’s screen and enter that code in order to complete his login process. It worked very much like modern 2fa implementations.

More and more online services are offering 2fa, and I encourage you to start using it wherever you can. The Two Factor Auth (2FA) web site provides of list of who does and who doesn’t offer 2fa login features. This can be a good place to see which of your accounts have 2fa available, and the 2fa site typically has a link to the documentation on how to set up 2fa for each service.

2fa makes it a lot harder for someone to take over an account, but it’s not perfect (and this is the part that might be useful to a writer who needs her main character to defeat a 2fa-protected account). Someone gained control of the twitter account of political activist DeRay Mckesson, an account that had 2fa enabled. The criminal contacted Verizon (Mckesson’s mobile provider) and convinced the billing department that Mckesson’s cell phone number had changed. So SMS messages that should have gone to Mckesson instead went to the criminal’s phone. The criminal then used twitter’s “forgot my password” feature and received an SMS message with the code the criminal needed to complete the account theft.

This is a good reminder of how effective social engineering can be. Some people will do anything to end a phone conversation with an angry-sounding customer. Sometimes the best hacks exploit people, not computers.

By the way, that Naked Security post (near the end) has some tips on how to enable security features on the accounts of several mobile providers, including Verizon. That might or might not have made a difference in DeRay Mckesson’s incident, but it might have made it easier for him to regain control of his Verizon account.