Author: carl

A web programmer and Linux system administrator who would like to be a writer.

Yesterday’s IoT attack on Dyn

Yesterday criminals used an “Internet of Things” (IoT) botnet to attack dyn.com, a provider of name services. The domain name service (DNS) is the network protocol that converts something memorable (like http://www.amazon.com) into the IP address you browser needs (54.239.26.128) in order to connect to the remote server hosting the web page you want to visit. dyn.com is a company that provides these services. And as the InfoSec Handlers point out, lots of big-name web sites including twitter and spotify use dyn.com services and were affected by the attack.

IoT is the name given to consumer devices that you can buy and then attach to the Internet for various reasons (I’ve written about IoT before). Many of these devices have really poor security. They commonly have default and well-known passwords that many users don’t change. So there are lots of Internet-connected devices (easily discoverable with databases like Shodan) with no protection against someone who knows the default passwords.

Brian Krebs has a lot of good detail about yesterday’s attack and how it was the work of IoT devices like video cameras and DVRs controlled by Mirai. Mirai is (publicly available!) malware that scours the Internet looking for devices with default passwords and uses them to attack specific targets. Yesterday someone pointed those devices at dyn.com, and that’s why you had trouble tweeting about why you couldn’t listen to your music.

Manufacturers have sold a lot of this IoT junk, and we’ll be stuck with this sort of thing for years.

Predictably insecure electronic locks

A couple of researchers recently presented their analysis of a dozen or so consumer electronic locks. Some of these locks are the kind that you’d use on a typical door in place of a deadbolt, and some of them work like padlocks. Most of them use bluetooth for wireless operation: you purchase the lock, install an app on your phone, and then use your phone to lock and unlock the device.

Sounds great, right? That’s fewer keys in your purse or pocket or in that not-very-fake-looking rock on your porch. You can enable a temporary code that you send to your plumber, so that he can enter the house while you’re at work. Some devices even have access logs. (Did the plumber come when he said he would? How long did he stay?)

The researchers found that 75% of the devices they studied were vulnerable to different kinds of attacks. In many or most cases, these attacks involved capturing and analyzing the traffic between the smart phone and the lock. The researchers notified the vendors of the affected products, but none of them was interested in doing anything about it. And why would they? At the very best, it would mean an expensive and embarrassing public relations campaign to notify consumers that they had purchased a lock with a defect.

This offers a plausible way for your character to do some breaking-and-entering. Maybe she needs to enter the home or storage building of a gadget-lover. She might need to plant some kind of sniffer device near the lock she wants to defeat and leave it there long enough for someone to use the lock. The FTS4BT bluetooth protocol analyzer and packet sniffer looks like a USB device that she could plug in to a Raspberry Pi. Tricking the lock might be as simple as replaying the signal that the sniffer recorded. If the devices doesn’t have access logs (or if the owner doesn’t bother looking at them), your character could come and go as she pleases from then on.

Oh, and don’t use electronic locks in real life. There’s a reason people have used metal keys to secure their stuff for hundreds of years.

Project timelines

I find it very difficult to estimate project timelines. Things usually take longer than I expect, and I never seem to learn. When someone asks me for a project timeline, I usually tell them that it will take somewhere between two hours and eighteen months.

As a recent example, I wanted to add a skip-to-main-content feature to a web application, because the application was growing a large block of navigation links at the top of every page. I figured this problem would have a widely-accepted solution, and that this would be a ten-minute task.

A web search quickly disabused me of that assumption. Lots of people solve this problem in different ways. I was looking for something that would

  1. work in most or all modern browsers
  2. hide the skip link until the keyboard user TABs to it
  3. not require JavaScript
  4. (most importantly) manage focus such that using the TAB key again advances focus to the next focusable element.

Here’s the implementation I ended up using. It’s still not perfect, because it won’t work in Firefox on OS X (not without some help, anyway).

So with evaluating search engine results, trying several different things, and then testing on a bunch of browsers, this ten-minute task took all morning one day.

At times like this I’m reminded of The Money Pit, a 1986 film with Tom Hanks and Shelley Long about a couple who buy a house and hire a bunch of contractors to renovate it. Every time they ask the foreman how much longer the work will take, he says, “Two weeks” (typically with derisive laughter).

So if you’re writing about someone who works in technology and need some day-to-day flavor for her, have her deal with a money pit assignment and an impatient customer.

Late July 2016 roundup

Here are a few news stories that caught my interest lately. Maybe one of them will be good for a story.

Internet-connected cameras are a terrible idea

These devices seem like a great idea. You use one like a security camera, but it’s connected to the internet and has a web interface, so that you can log on to it from anywhere to download footage or pictures.

Unfortunately many devices like this don’t get much attention from the manufacturer after production. It turns out that lots of these cameras all have the same remotely-exploitable command injection vulnerability. So it’s not hard to use one or more of these cameras to perform distributed denial-of-service attacks on other targets. These cameras also have a common signature which makes them fairly easy to locate in things like the Shodan search engine.

A SANS infosec article about this points out that people install these devices on the same networks where they have servers hosting sensitive resources. So it’s not a stretch to imagine your main character using Shodan to find vulnerable cameras on a target network and using the cameras to attack the target’s web servers.

Turn your head and cough

Medical devices can have a similar problem. A hospital buys an X-ray machine, and it’s really expensive and mission-critical (it’s in the business of saving lives, after all), so no one wants to mess with it. The hospital just wants to install it and have it run perfectly forever.

But over time vulnerabilities creep in that neither the manufacturer nor the hospital wants to take the risk of patching, because who wants to stick a patient in an MRI machine only to find that the control system stopped working after running an update last night? As a result some of these medical devices are riddled with malware that crooks can use to attack riper targets. Does your character want to hack a hospital to get at patient data he can use for identity theft? It might not be that hard.

Grand theft auto

Here’s an article with video of someone using a laptop to steal a 2010 Jeep Wrangler. It’s not clear what the person is doing, but a policeman quoted in the article speculates that the thief used the laptop to persuade the car’s computer to recognize a key fob the thief had with him. It’s probably just a matter of time until that technique is possible with a phone. “There’s an app for that.”

And as if on cue, Fiat Chrysler is running a bug bounty to pay people to find and report security problems in cars’ computer systems.

July 2016 updates from Apple

Apple has recently released updates to many of its products. These updates address problems that are believed to be remotely exploitable, so it’s time to run updates on your Macs, iPhones, iPads, and everything else with an Apple logo. Here are the security bulletins for OS X and iOS, but there are also updates for iTunes, Safari, Apple watch, and others.

Good example of tech fiction

Last month New York Magazine published a near-future fictional account of a massive cyberattack against the city of New York. The author is Reeves Wiedeman, and he did a great job of collecting actual events into a plausible narrative. The story even has useful annotations in the sidebar, many with links to further reading.

Two-factor authentication

Many online services offer two-factor authentication (2fa) to protect users’ accounts. When you enable 2fa on an account, it means that you still log in with a username and password, but then you have to enter a one-time code before you can access your account. How you get the code (typically a six-digit number) depends on the implementation: twitter sends you the code in an SMS text message, while others (like google and facebook) have you look up the code in a mobile app. Either way, you generally get the code with your phone. The point of this is to make it harder for someone to break into your online account, because they’d have to know your password and have access to your phone.

So logging in with 2fa means taking an extra step which at times can feel like a nuisance. The way I look at it is that it’s a minor inconvenience for me, but it’s a significant inconvenience to someone who wants to steal my account.

2fa isn’t a new innovation. I knew someone in the late 1990s who worked for a government-funded research facility, and he carried around a little device in his pocket. When he needed to log in to one of the facility’s computers, he’d have to look at the code that appeared on the device’s screen and enter that code in order to complete his login process. It worked very much like modern 2fa implementations.

More and more online services are offering 2fa, and I encourage you to start using it wherever you can. The Two Factor Auth (2FA) web site provides of list of who does and who doesn’t offer 2fa login features. This can be a good place to see which of your accounts have 2fa available, and the 2fa site typically has a link to the documentation on how to set up 2fa for each service.

2fa makes it a lot harder for someone to take over an account, but it’s not perfect (and this is the part that might be useful to a writer who needs her main character to defeat a 2fa-protected account). Someone gained control of the twitter account of political activist DeRay Mckesson, an account that had 2fa enabled. The criminal contacted Verizon (Mckesson’s mobile provider) and convinced the billing department that Mckesson’s cell phone number had changed. So SMS messages that should have gone to Mckesson instead went to the criminal’s phone. The criminal then used twitter’s “forgot my password” feature and received an SMS message with the code the criminal needed to complete the account theft.

This is a good reminder of how effective social engineering can be. Some people will do anything to end a phone conversation with an angry-sounding customer. Sometimes the best hacks exploit people, not computers.

By the way, that Naked Security post (near the end) has some tips on how to enable security features on the accounts of several mobile providers, including Verizon. That might or might not have made a difference in DeRay Mckesson’s incident, but it might have made it easier for him to regain control of his Verizon account.

20160619 news roundup

This blog is still an experiment, so I may try different things from time to time. Today I’m going to post a few news items that caught my interest lately. This serves a couple of purposes. It gives me a place to keep these things for later reference, and maybe it’ll provide you or me with something to put in a story.

Don’t use default passwords

The Liberal Party of Quebec uses video conferencing software to facilitate and/or record their meetings. No doubt they would prefer that the content of these meeting be confidential, but whoever set up the software left it with a default password. So it was easy enough for someone to connect to the videoconferencing software and to provide a vendor default password (which is probably in a publicly-available product manual). Someone did this and downloaded and published live and archived meeting content. This is a good illustration of the danger of not changing vendor default passwords.

Never shop for anything. Ever.

It’s getting harder and harder to have much privacy online. Sites like to track us as we browse the web, trying to figure out how ads affect our online shopping habits. And now it may be getting even worse. Facebook is planning to track us using our phones’ GPS and by the wireless access points our phones see (even if we don’t connect to the access points, our phones see them). Facebook can then sell this data to the owners of physical stores: “This many people physically visited one of your brick-and-mortar stores within this many days of viewing your advertisement online.” This is like that scene in Minority Report when the billboards address the Tom Cruise character by name as he walks through a store. I disable location services (GPS) on my phone, and when I think of it I turn off wireless when I’m away from home and work. It saves the battery, and it may help my privacy.

Aliens

For those of us who wonder about humanity’s ability to detect alien spacecraft, here’s an interesting data point. Asteroid 2016 HO3 has been a quasi-satellite of Earth for decades, and it was only discovered in April of this year. It’s probably between 120 and 300 feet in size. Imagine sitting in the stands of an American football stadium and looking at an object (or a space vessel) that starts at one end zone and stretches at least to the 40-yard line (and maybe to the opposing end zone). 2016 HO3 never gets very close (it wanders around between 38 and 100 times the distance between the Earth and the moon), but that might be close enough to get a look at us.

And today I learned that NASA has a Planetary Defense Coordination Office. They even have an organizational chart.