May 2017 news roundup

Target is still paying for their 2013 data breach

Remember Target’s data breach from a few years ago? They are still paying for that. Target recently agreed to an $18.5 million settlement with 47 states and the District of Columbia. That NYT article mentions a $202 million total for “legal fees and other costs since the breach” (I tried reading the linked SEC statement about those payments and lost interest immediately). I don’t know if that $202 million includes this $18.5 million amount, but that’s an expensive mistake any way you look at it.

Breaking news: IoT still terrible

New research shows that Internet of Things (IoT) devices can divulge a lot of information about their owners. The researchers found that a passive network tap on a home network allowed them to monitor traffic rates for several IoT devices. Even if they couldn’t read the traffic itself, the researchers were able to infer a lot just by watching DNS queries and changes in the traffic rates of devices like sleep monitors, motion-activated security cameras, and an Amazon Echo. (This technique of traffic analysis has a long history.)

So imagine that your story’s character needs to spy on someone. If she can identify an exploit for the wireless router the target uses for his home network, she could potentially eavesdrop on the traffic going in and out of his home. If the sleep sensor tells her that he’s sleeping, or if a camera shows movement in one part of the house, that might tell her something useful.

BTW, the Amazon Echo inspired what has become my favorite XKCD entry.

Defeating security cameras

This one is a little older, so vendors have at least partially addressed these specific vulnerabilities, but it’s pretty interesting. Someone published exploits against several consumer-grade security cameras. These cameras have a similar setup process:

  • Mount the camera somewhere
  • Download a vendor-supplied app to your phone
  • Use the app to configure the camera via bluetooth (your phone talks directly to the camera)
  • Configure the camera to connect to your home’s wireless network
  • The camera sends image data to the cloud: the camera has no local storage

The researcher found ways to interrupt the operation of several camera models. Sending certain specially-crafted bluetooth messages to the camera would cause it to reboot, taking it briefly offline. Sending another kind of bluetooth message would tell the camera to connect to a different wireless network. If the attacker brings along a wireless access point (WAP) transmitting the same SSID specified in the bluetooth message, the camera will connect to that WAP, rendering the camera ineffective.

This latter exploit provides a more plausible version of the overused trope of splicing into a camera’s feed, recording a few minutes of boring footage, and replaying it endlessly for the security guard. If the camera only sends data to the cloud when it detects motion, then the absence of data implies the absence of motion. The attacker just needs some off-the-shelf hardware, some publicly-available exploit code, and physical proximity (bluetooth range) to the camera.

Computers are for everyone

Did you know that an experienced blind person can use a computer at least as efficiently as a sighted person? If you want to write about a character with a visual (or some other physical) impairment, it doesn’t preclude that character from using a computer.

Assisstive technology (AT)

There’s a whole class of technology that helps people with physical challenges use computers. This is called assistive technology (AT). A lot of AT is focused on helping people with visual impairments, and that will be the focus of this post. But AT helps lots of people: Stephen Hawking is able to use a computer just by moving his cheek.

(The following paragraphs have a couple of YouTube links. If those links no longer work, try searching for “using a screen reader” on YouTube.com.)

People with diminished vision may use a screen magnifier, software which magnifies part of the computer screen. Here’s a short video of someone using a screen magnifier.

A person with little or no vision probably uses a screen reader, software which interprets what’s on the screen. Here’s a video (around 13 minutes long) of a woman using a screen reader. She has the screen reader set to read pretty fast (the reading speed is configurable), and it can go even faster. Someone who is good at listening to a screen reader can consume content even faster than a sighted user reading it off the screen.

Web accessibility

I’m a web programmer, and there is a vast array of techniques available to me to make web pages and web applications easier to use for people with certain types of difficulties (especially visual impairments). If you hear someone talking about web accessibility, they’re probably referring to these techniques. I don’t know nearly as much about this as I wish I did, and I quickly feel overwhelmed by the staggering amount of literature on the topic.

Making web pages accessible is important work. And it’s more than just the right thing to do. There is federal legislation requiring it, and there are real consequences in failure: there have been successful (and costly) court decisions requiring Netflix, Target, and institutions of higher education to make their electronic resources available to people with disabilities.

Here are a few simple things you can do to make your web pages more useful:

  1. When you create a link, make sure that the link text is meaningful by itself. People often tell the screen reader to read out a list of a page’s links. A link that just says “click here” is worse than useless.
  2. If the thing you use to make web pages allows it, provide alt text whenever you put an image on a web page. The alternative text should give a brief description of the image. The screen reader will read the alt text aloud, and this allows a visually impaired person to know what information you wanted to convey when you included the image. (And remember that uploading an image of text, a popular way of circumventing twitter’s 140-character length limit, only works if the user can read it.)
  3. If you are writing a long page with lots of different sections, use headers and sub-headers to break up the page (like the Web accessibility header on this page). Make sure you’re using actual headers, not just large text set off by itself (you probably want to look in the styles gizmo for something like “heading level N,” where N is a number between 1 and 7). People sometimes tell the screen reader to read off the page’s headers so that the user can jump straight to the part of the page that interests them.
  4. Make sure your page has good color contrast. Light grey text on a white background is really hard to read for all kinds of people. You can use the WebAIM color contrast checker to the test the contrast between two colors.

WordPress themes

At the time of this writing, I’m hosting this blog on wordpress.com using their free plan. As such I’m limited in the variety of themes I can use. The theme I selected (the twenty sixteen theme) is pretty bland, but it has better accessibility than most of the nicer-looking themes (which is why I picked it). Even so, it’s not perfect: the share this buttons have poor color contrast. This blog is still an experiment. If it seems successful, I’ll probably upgrade to one of the paid plans which claim to offer greater theme customization.

So if you have a character who’s as blind as a bat, she can probably use a computer even better than some 20/20 mouth-breather.

Target, Home Depot, Ashley Madison, and third-party vendors

If you are interested in writing about large-scale data and credit card theft, you could look to the Target, Home Depot, and Ashley Madison data breaches for inspiration. Much of what we know about these breaches comes from reporter Brian Krebs. His blog is fascinating, and I recommend it very highly. This post will refer heavily to his reporting.

(This post will refer to Target the retailer and targets of crime. Mind the capitalization to tell the difference.)

The retailer Target was the victim of a large data breach during the 2013 holiday shopping season. Criminals stole credit card information of 40 million customers and personal information (names, email and mailing addresses, phone numbers) of 70 million customers. The numbers here are so large that the thieves had trouble selling all the stolen credit card numbers before banks were able to cancel the credit cards, and some banks had trouble re-issuing cards, because the people who turn plastic into credit cards had a huge backlog of orders. (Target recently agreed to a $39.4 million settlement with banks and credit unions as a result of this breach.)

The picture that Krebs’ reporting paints about the Target breach is that it involved an external HVAC company that worked for Target. Someone at the HVAC company fell for a phishing attack, which probably installed a keylogger or some other malware on that person’s (the HVAC company employee) PC, and this enabled the criminals to acquire login information to servers that Target’s vendors use to interact with Target (for work orders, billing, etc.). The criminals were able to use this access to install malware on the point-of-sale (POS) devices at target stores. (Yes, there are probably several steps missing there, which I don’t understand, either, but it’s not the point of this post.) The POS malware was able to upload credit card data to another compromised server on Target’s internal network, and then that internal server exfiltrated the stolen data (gigabytes of it) to external FTP servers all over the world. (See Krebs’ coverage of the Target data breach for more details.)

Much the same thing happened to Home Depot in 2014. Criminals installed malware on thousands of self-checkout lanes at nearly every Home Depot location. The criminals got away with 56 million credit card numbers and 53 million customer email addresses. As happened with Target, the Home Depot network was initially breached using login credentials stolen from a third-party vendor. (Again, Krebs has more details about the Home Depot data breach.)

Although it didn’t involve credit card theft, the Ashley Madison story is similar. Ashley Madison is a social networking site created with the specific intention of enabling elicit (e.g., extra-marital) affairs. Someone managed to download and publish the account information of many or all of the AM users. Little is publicly known about how that information was acquired, but the CEO of AM’s parent company implied that it was the work of a non-employee who had previously had access to the AM information resources.

The takeaway here is something that might be useful for writing any kind of story about corporate hacking and espionage. In all three of these examples, a confirmed or suspected method of infiltration involved a vendor hired by the target company. Even if the vendor isn’t complicit, the vendor may be a softer target with lower standards of security (or with more access than they really needed). Breaching the vendor may give the attacker a foothold into the larger target.