Category: roundup

Mid-January 2019 news roundup

Here are a few interesting items that have come through my news reader recently.

uPNP abuse

Universal Plug-and-Play (uPNP) is a feature that is enabled by default in most home routers. uPNP allows a network-enabled device on your home network to tell your router to allow external connections back to the device, like a gaming console or a media server.

While this feature might be useful in some cases, it has a history of security-related problems. A recent example involves tricking chromecast and other google-friendly devices into playing a video promoting someone’s youtube channel. You might enjoy reading that article if you want an idea of how a character in your story could get a victim’s TV to show a video of your character’s choice. Imagine getting someone’s TV to show a forged emergency broadcast system alert, for example.

You might also want to consider disabling uPNP on your home router.

Non-technical cyberwarfare

Gizmodo has an article reminding us that sometimes you don’t need mad skills to crack a network. The FBI was able to acquire evidence against drug kingpin El Chapo by persuading his sysadmin to give them the keys to decrypt encrypted voice-over-IP conversations. If your story’s character needs to compromise an otherwise secure computer network, bribing or blackmailing an insider might be a good alternative.

Biometrics v. photography

Have you ever seen a movie where someone is only able to enter a lab or operations center after putting their palm on a handprint scanner? Apparently that’s a real thing: the scanner looks at how the user’s veins are arranged. It turns out that a photograph FROM SEVERAL METERS AWAY reveals enough detail to create a wax hand that will fool some of these scanners.

I recently watched Die Another Day (2002), and I think they used a severed hand to get through one of these things. So, that kind of messy unpleasantness isn’t even necessary any more!

And if you’re a Bond villain with a lair under a volcano that you access with a handprint scanner, think about wearing gloves in public.

Advertisement

Grand theft auto? Kidnapping? Murder? There’s an app for that.

This is a summary of three articles from the Sophos Naked Security blog that might be of interest to writers of stories involving cybercrime.

Break into a car in seconds

Many new cars come with an electronic fob on the keychain. The fob uses radio signals to tell the car to unlock. In a development which should surprise absolutely no one, criminals have found a way to abuse this feature. Looks like it takes two devices: one to record the fob’s signal and send it to the second device which opens the car door. This appears to work even if the fob is inside the owner’s house.

Your story’s character may not want to steal a car, but she might want the laptop the owner left sitting in the trunk.

Smartwatches are dumb

Does your story have a villain who’s not above kidnapping? He might use an insecure smartwatch to locate his target.

Smart pumps are also dumb

Does your story’s villain need to deliver a lethal does of morphine to a hospital patient? He could potentially do so from a safe distance if the patient is being treated with a device that regulates the IV drip. The vulnerabilities in the linked article are admittedly very difficult to exploit, but they’re indicative of the sloppy development of devices like this. The vendor says they’ll release an update this month to address the problem. It’s probably a firmware update. How many overworked hospital IT workers do you think will go around applying that update to every affected device?

May 2017 news roundup

Target is still paying for their 2013 data breach

Remember Target’s data breach from a few years ago? They are still paying for that. Target recently agreed to an $18.5 million settlement with 47 states and the District of Columbia. That NYT article mentions a $202 million total for “legal fees and other costs since the breach” (I tried reading the linked SEC statement about those payments and lost interest immediately). I don’t know if that $202 million includes this $18.5 million amount, but that’s an expensive mistake any way you look at it.

Breaking news: IoT still terrible

New research shows that Internet of Things (IoT) devices can divulge a lot of information about their owners. The researchers found that a passive network tap on a home network allowed them to monitor traffic rates for several IoT devices. Even if they couldn’t read the traffic itself, the researchers were able to infer a lot just by watching DNS queries and changes in the traffic rates of devices like sleep monitors, motion-activated security cameras, and an Amazon Echo. (This technique of traffic analysis has a long history.)

So imagine that your story’s character needs to spy on someone. If she can identify an exploit for the wireless router the target uses for his home network, she could potentially eavesdrop on the traffic going in and out of his home. If the sleep sensor tells her that he’s sleeping, or if a camera shows movement in one part of the house, that might tell her something useful.

BTW, the Amazon Echo inspired what has become my favorite XKCD entry.

Defeating security cameras

This one is a little older, so vendors have at least partially addressed these specific vulnerabilities, but it’s pretty interesting. Someone published exploits against several consumer-grade security cameras. These cameras have a similar setup process:

  • Mount the camera somewhere
  • Download a vendor-supplied app to your phone
  • Use the app to configure the camera via bluetooth (your phone talks directly to the camera)
  • Configure the camera to connect to your home’s wireless network
  • The camera sends image data to the cloud: the camera has no local storage

The researcher found ways to interrupt the operation of several camera models. Sending certain specially-crafted bluetooth messages to the camera would cause it to reboot, taking it briefly offline. Sending another kind of bluetooth message would tell the camera to connect to a different wireless network. If the attacker brings along a wireless access point (WAP) transmitting the same SSID specified in the bluetooth message, the camera will connect to that WAP, rendering the camera ineffective.

This latter exploit provides a more plausible version of the overused trope of splicing into a camera’s feed, recording a few minutes of boring footage, and replaying it endlessly for the security guard. If the camera only sends data to the cloud when it detects motion, then the absence of data implies the absence of motion. The attacker just needs some off-the-shelf hardware, some publicly-available exploit code, and physical proximity (bluetooth range) to the camera.

Late July 2016 roundup

Here are a few news stories that caught my interest lately. Maybe one of them will be good for a story.

Internet-connected cameras are a terrible idea

These devices seem like a great idea. You use one like a security camera, but it’s connected to the internet and has a web interface, so that you can log on to it from anywhere to download footage or pictures.

Unfortunately many devices like this don’t get much attention from the manufacturer after production. It turns out that lots of these cameras all have the same remotely-exploitable command injection vulnerability. So it’s not hard to use one or more of these cameras to perform distributed denial-of-service attacks on other targets. These cameras also have a common signature which makes them fairly easy to locate in things like the Shodan search engine.

A SANS infosec article about this points out that people install these devices on the same networks where they have servers hosting sensitive resources. So it’s not a stretch to imagine your main character using Shodan to find vulnerable cameras on a target network and using the cameras to attack the target’s web servers.

Turn your head and cough

Medical devices can have a similar problem. A hospital buys an X-ray machine, and it’s really expensive and mission-critical (it’s in the business of saving lives, after all), so no one wants to mess with it. The hospital just wants to install it and have it run perfectly forever.

But over time vulnerabilities creep in that neither the manufacturer nor the hospital wants to take the risk of patching, because who wants to stick a patient in an MRI machine only to find that the control system stopped working after running an update last night? As a result some of these medical devices are riddled with malware that crooks can use to attack riper targets. Does your character want to hack a hospital to get at patient data he can use for identity theft? It might not be that hard.

Grand theft auto

Here’s an article with video of someone using a laptop to steal a 2010 Jeep Wrangler. It’s not clear what the person is doing, but a policeman quoted in the article speculates that the thief used the laptop to persuade the car’s computer to recognize a key fob the thief had with him. It’s probably just a matter of time until that technique is possible with a phone. “There’s an app for that.”

And as if on cue, Fiat Chrysler is running a bug bounty to pay people to find and report security problems in cars’ computer systems.

20160619 news roundup

This blog is still an experiment, so I may try different things from time to time. Today I’m going to post a few news items that caught my interest lately. This serves a couple of purposes. It gives me a place to keep these things for later reference, and maybe it’ll provide you or me with something to put in a story.

Don’t use default passwords

The Liberal Party of Quebec uses video conferencing software to facilitate and/or record their meetings. No doubt they would prefer that the content of these meeting be confidential, but whoever set up the software left it with a default password. So it was easy enough for someone to connect to the videoconferencing software and to provide a vendor default password (which is probably in a publicly-available product manual). Someone did this and downloaded and published live and archived meeting content. This is a good illustration of the danger of not changing vendor default passwords.

Never shop for anything. Ever.

It’s getting harder and harder to have much privacy online. Sites like to track us as we browse the web, trying to figure out how ads affect our online shopping habits. And now it may be getting even worse. Facebook is planning to track us using our phones’ GPS and by the wireless access points our phones see (even if we don’t connect to the access points, our phones see them). Facebook can then sell this data to the owners of physical stores: “This many people physically visited one of your brick-and-mortar stores within this many days of viewing your advertisement online.” This is like that scene in Minority Report when the billboards address the Tom Cruise character by name as he walks through a store. I disable location services (GPS) on my phone, and when I think of it I turn off wireless when I’m away from home and work. It saves the battery, and it may help my privacy.

Aliens

For those of us who wonder about humanity’s ability to detect alien spacecraft, here’s an interesting data point. Asteroid 2016 HO3 has been a quasi-satellite of Earth for decades, and it was only discovered in April of this year. It’s probably between 120 and 300 feet in size. Imagine sitting in the stands of an American football stadium and looking at an object (or a space vessel) that starts at one end zone and stretches at least to the 40-yard line (and maybe to the opposing end zone). 2016 HO3 never gets very close (it wanders around between 38 and 100 times the distance between the Earth and the moon), but that might be close enough to get a look at us.

And today I learned that NASA has a Planetary Defense Coordination Office. They even have an organizational chart.