Late July 2016 roundup

Here are a few news stories that caught my interest lately. Maybe one of them will be good for a story.

Internet-connected cameras are a terrible idea

These devices seem like a great idea. You use one like a security camera, but it’s connected to the internet and has a web interface, so that you can log on to it from anywhere to download footage or pictures.

Unfortunately many devices like this don’t get much attention from the manufacturer after production. It turns out that lots of these cameras all have the same remotely-exploitable command injection vulnerability. So it’s not hard to use one or more of these cameras to perform distributed denial-of-service attacks on other targets. These cameras also have a common signature which makes them fairly easy to locate in things like the Shodan search engine.

A SANS infosec article about this points out that people install these devices on the same networks where they have servers hosting sensitive resources. So it’s not a stretch to imagine your main character using Shodan to find vulnerable cameras on a target network and using the cameras to attack the target’s web servers.

Turn your head and cough

Medical devices can have a similar problem. A hospital buys an X-ray machine, and it’s really expensive and mission-critical (it’s in the business of saving lives, after all), so no one wants to mess with it. The hospital just wants to install it and have it run perfectly forever.

But over time vulnerabilities creep in that neither the manufacturer nor the hospital wants to take the risk of patching, because who wants to stick a patient in an MRI machine only to find that the control system stopped working after running an update last night? As a result some of these medical devices are riddled with malware that crooks can use to attack riper targets. Does your character want to hack a hospital to get at patient data he can use for identity theft? It might not be that hard.

Grand theft auto

Here’s an article with video of someone using a laptop to steal a 2010 Jeep Wrangler. It’s not clear what the person is doing, but a policeman quoted in the article speculates that the thief used the laptop to persuade the car’s computer to recognize a key fob the thief had with him. It’s probably just a matter of time until that technique is possible with a phone. “There’s an app for that.”

And as if on cue, Fiat Chrysler is running a bug bounty to pay people to find and report security problems in cars’ computer systems.

Two-factor authentication

Many online services offer two-factor authentication (2fa) to protect users’ accounts. When you enable 2fa on an account, it means that you still log in with a username and password, but then you have to enter a one-time code before you can access your account. How you get the code (typically a six-digit number) depends on the implementation: twitter sends you the code in an SMS text message, while others (like google and facebook) have you look up the code in a mobile app. Either way, you generally get the code with your phone. The point of this is to make it harder for someone to break into your online account, because they’d have to know your password and have access to your phone.

So logging in with 2fa means taking an extra step which at times can feel like a nuisance. The way I look at it is that it’s a minor inconvenience for me, but it’s a significant inconvenience to someone who wants to steal my account.

2fa isn’t a new innovation. I knew someone in the late 1990s who worked for a government-funded research facility, and he carried around a little device in his pocket. When he needed to log in to one of the facility’s computers, he’d have to look at the code that appeared on the device’s screen and enter that code in order to complete his login process. It worked very much like modern 2fa implementations.

More and more online services are offering 2fa, and I encourage you to start using it wherever you can. The Two Factor Auth (2FA) web site provides of list of who does and who doesn’t offer 2fa login features. This can be a good place to see which of your accounts have 2fa available, and the 2fa site typically has a link to the documentation on how to set up 2fa for each service.

2fa makes it a lot harder for someone to take over an account, but it’s not perfect (and this is the part that might be useful to a writer who needs her main character to defeat a 2fa-protected account). Someone gained control of the twitter account of political activist DeRay Mckesson, an account that had 2fa enabled. The criminal contacted Verizon (Mckesson’s mobile provider) and convinced the billing department that Mckesson’s cell phone number had changed. So SMS messages that should have gone to Mckesson instead went to the criminal’s phone. The criminal then used twitter’s “forgot my password” feature and received an SMS message with the code the criminal needed to complete the account theft.

This is a good reminder of how effective social engineering can be. Some people will do anything to end a phone conversation with an angry-sounding customer. Sometimes the best hacks exploit people, not computers.

By the way, that Naked Security post (near the end) has some tips on how to enable security features on the accounts of several mobile providers, including Verizon. That might or might not have made a difference in DeRay Mckesson’s incident, but it might have made it easier for him to regain control of his Verizon account.

20160619 news roundup

This blog is still an experiment, so I may try different things from time to time. Today I’m going to post a few news items that caught my interest lately. This serves a couple of purposes. It gives me a place to keep these things for later reference, and maybe it’ll provide you or me with something to put in a story.

Don’t use default passwords

The Liberal Party of Quebec uses video conferencing software to facilitate and/or record their meetings. No doubt they would prefer that the content of these meeting be confidential, but whoever set up the software left it with a default password. So it was easy enough for someone to connect to the videoconferencing software and to provide a vendor default password (which is probably in a publicly-available product manual). Someone did this and downloaded and published live and archived meeting content. This is a good illustration of the danger of not changing vendor default passwords.

Never shop for anything. Ever.

It’s getting harder and harder to have much privacy online. Sites like to track us as we browse the web, trying to figure out how ads affect our online shopping habits. And now it may be getting even worse. Facebook is planning to track us using our phones’ GPS and by the wireless access points our phones see (even if we don’t connect to the access points, our phones see them). Facebook can then sell this data to the owners of physical stores: “This many people physically visited one of your brick-and-mortar stores within this many days of viewing your advertisement online.” This is like that scene in Minority Report when the billboards address the Tom Cruise character by name as he walks through a store. I disable location services (GPS) on my phone, and when I think of it I turn off wireless when I’m away from home and work. It saves the battery, and it may help my privacy.

Aliens

For those of us who wonder about humanity’s ability to detect alien spacecraft, here’s an interesting data point. Asteroid 2016 HO3 has been a quasi-satellite of Earth for decades, and it was only discovered in April of this year. It’s probably between 120 and 300 feet in size. Imagine sitting in the stands of an American football stadium and looking at an object (or a space vessel) that starts at one end zone and stretches at least to the 40-yard line (and maybe to the opposing end zone). 2016 HO3 never gets very close (it wanders around between 38 and 100 times the distance between the Earth and the moon), but that might be close enough to get a look at us.

And today I learned that NASA has a Planetary Defense Coordination Office. They even have an organizational chart.

Passwords: salts, hashes

In the previous post we saw that network and web site accounts with reasonable security use hash functions to protect passwords.

But even using a hash function isn’t enough, because the bad guys have rainbow tables. A rainbow table is a list of common passwords (like Password123) and their hash values. So if a site suffers a data breach exposing account data, a simple hash function won’t be much of a barrier, because the criminal can compare the hash values (in the breach data) against a rainbow table and recover many of the weaker passwords.

To counter rainbow tables, sites typically salt users’ passwords: when someone creates a password, the site generates some random characters (the salt), appends that to the user’s password, runs the salted password through the hash function, and then stores the hash value and the salt. When the user tries to log in, the site takes the password they typed, appends the salt stored with the user’s account, sends that through the hash function, and compares the hash values.

Salting hashes sets the bar a lot higher, because the criminal would need to compute a new rainbow table for each password (because each password will have a different salt).

This is why I get frustrated with fiction that makes it look easy to crack passwords. Any account worth hacking will likely be protected by some or all of the following safeguards:

  1. salted and hashed passwords
  2. a password policy enforcing complexity rules (e.g., your password has to be at least eight characters, has to include numbers and punctuation characters, and can’t look too much like a word)
  3. active response locking an account after too many failed attempts
  4. two-factor authentication (you log in with your username and password, but then the site won’t give you access until you enter a code it sends to your cell phone)

Active response in particular makes guessing passwords impractical. If your character is trying to break into a network or web site account, too many failed attempts are going to end up locking the target account. Your character is better off trying to steal the password with a phishing attack, social engineering, using a keylogger, exploiting a flaw in the “forgot my password” feature, or even a security camera pointed at the keyboard.

And an account protected by two-factor authentication is nearly unassailable, because your character would need the target’s password and their cell phone. Social engineering might be best here.