Tag Archives: blackhat

Copying access control cards is easier w/ $10 device being released at BlackHat 2015

Proximity access cards are no more secure than a standard key .. and easily replicated with a $10 (to be released) tool. This was shared on ZDNet and with Motherboard. I have highlighted 2 key sections below for those interested in greater detail definitely check out the article. If you are lucky enough to see the presentation live at BlackHat, that will surely be better.

While RFID technology can help secure enterprise offices in this way, the ease in which these access controls can be hacked has hit the spotlight in the form of a tiny device which costs only $10 to make.

Researchers Mark Baseggio from security firm Accuvant and Eric Evenchick from Faraday Future are the developers of the Bluetooth Low Energy device (BLEKey), a coin-sized device which skims RFID cards, allowing users to clone items such as access cards.The team says the release of the tool is “valuable for understanding the risks associated with insecure access controls and what steps companies can take to lower the risk of access control attacks.” – ZDNet Article

I would raise the point that these attacks can now be down so easily that can the “control” of access control physically be fully trusted from a third party assurance perspective, an industry perspective such as PCI, or risk management? One could argue that cameras support this protection, but those are only employed after damage has been discovered and insufficient for all of the stakeholders involved.

“We wanted to create a device that would concretely and absolutely show and hopefully put the final nail in the coffin that is HID prox and Wiegand. These devices are no more secure than a standard key.” – Motherboard, Baseggio

The difference though with a ‘standard key’ is that takes some crafty spy work to make a copy without the owner being aware. To copy a HID card would take only seconds – at a gym, lanyards left at a desk, etc …

Glad the research cycle is exposing these risks and looking forward to creative approaches to counter it.

James

p.s. My new book – How not to be hacked is available and is PERFECT for your family and friends who keep getting smashed by online criminals, malware, and account hijacks!

Mobile ad fraud costs advertisers $1 billion a year, study says

Mobile devices are easy targets and when more dependency on wifi is enabled the conduct of fraud is easier to execute without detection. Also thinking this would be pretty to execute such advertising fraud, as described in the article, by installing similar tech onto all of the unsecured/patched/Internet of Things devices on the internet. Imagine this fraud with all of the consumer internet routers!

Details from the Fortune article:

The firm said that it tracked down more than 5,000 apps that were exhibiting suspicious behavior. It found the apps by using the real-time tracking data that it gets from the various mobile ad networks that it is integrated with, which allowed it to look for the kind of rapid ad-loading and background functions that most malicious apps exhibit…

Forensiq said its research showed that more than 13% of total mobile app inventory was at risk, and 14% of all mobile apps on iOS, Android and Windows Mobile platforms.

Over a period of 10 days, Forensiq says it observed more than 12 million unique devices with installed apps that exhibited fraudulent behavior: about 1% of all devices it observed in the U.S. and between 2% and 3% of those in Europe & Asia.

Mobile ad fraud costs advertisers $1 billion a year, study says.

… My comments on this report (not posted on Fortune due requirement to link social media account):

It’d be valuable to know how those Apps identified for fraud were ranked in the ‘App stores’. This way we could identify the popularity and likely spread of these apps. The 12 million figure is large, but out of a possible 1.3 billion devices it is hard to understand the sampling effect.

I’d love more intelligence on the ‘what’, so that regular readers of the article and users of the devices could clean out these Apps off their devices.

Gotta love Blackhat and DefCon week! All the research docs are released.

James

Android fragmented device market = high risk mobile platform

The market of mobile devices is experiencing faster growth than the PC, and with that growth comes user adoption, the need to enable systems to interoperate, and of course keep the data flowing. The challenge on mobile devices crosses many spectrums, but one area to highlight deals with the variety of “branches” of the Android operating system and device platforms.

A nice visual was put together over at OpenSignalMaps that shows the variant of devices running the Android OS based on their application collected data. This is by no means a complete list, but it effectively defines the problem space. There are a lot of platforms that can run Android, have apps installed, and each can be utilized by the consumer. This trend will only radically increase as more and more devices are enabled through Android licenses (TVs, cars, toasters, space ships, etc…).  The latest iterations from Amazon are a great demonstration of custom hardware, blended operating system components, and user linked service providers to application and device.

A quick bit of details on their findings – total distinct devices 3,997!  Though 1,363 were only seen once – may result of data source and one-hit wonders.  Still that is a very large population.  The device model breakdown is the top graphic .. the authors provided a number of different slices of the data, and it is worth reviewing.

As for an information security and compliance perspective, below are two key areas – software updates & chipsets:

  • Software updates … not timely, consistent, or completely absent depending on the platform.  This relates to the Apps compatibility with the platform and OS.  The operating system itself as highlighted on Google’s own dashboard shows a broader active OS base across legacy operating systems than Apple.  The lack of software updates – being applied; existing, and being compatible must be mitigated.  The problem must be framed here properly – Updates in the “new” mobile world are not always to patch security vulnerabilities.  Some, many, make feature updates that are user focused / backend improvements, etc…  Therefore some updates (read; SOME) are not necessary but are nice to haves.  The business needs to integrate these considerations within the broader IT framework management structure to ensure that risks are mitigated that exist.  Sometimes updating to the latest version (to get rid of that nasty little red number) is not the right course of action.
  • Hardware chipsets… not to be trusted.  The hardware that makes up these tablets is based on a global supply chain.  As organizations move beyond single vendor sourcing (ahh, the good ol’ days of Blackberry – yes I said it), to multi vendor / platform, awareness of the hardware becomes important.  Hardware is specifically a risk to be addressed when the focus is on High Value Assets and Persons.  Meaning those who have access to that type of data or are likely targets of attacks.  It it those persons you would manage the device platform selection upon.  The number of poisoned chipsets coming out of China and other areas is increasing.  An appropriate level of consideration is important.  Beyond poisoned chipsets (i.e., malware / trojans built in), some chipsets have flawed designs that are identified by researchers (and published such as at DefCon), and always utilized by attackers in the wild.

There are other areas of consideration, but the two above draw on the 80/20 rule… would love other thoughts here!

Google also has a developer dashboard that highlights information about the deployed operating system distribution and adoption (as recorded based on connection to Google’s Play) that is worth visiting.

To sum it up …Having worked with clients to understand, frame, and execute plans that embrace mobile technology across their business requires an understanding of what is the opportunity space. Each enterprise is a bit different as a result of industry, age of company, and of course their business objectives. The challenge of a fragmented (Android) market space is that it creates risks that need to be viewed across a spectrum within the organization. The fragmentation is not obvious (not 1,000+ iterations!) and so the field of risk is not within line of site.  Organizations tend to go through phases when adopting mobile technology (consumerization) – block; deny; resist; deny without blocking; and finally yield…  Given the fragmentation mature businesses move beyond simple prohibition, but instead initiate a process to put in place information security safeguards to mitigate the risk to an effective level.

The authors of the original study made a good point at the end – the blessing and curse of Android is the fragmentation and not knowing where the application will run and on what hardware (country, etc…).  Finding an operational balance is the key.

Thoughts?

James DeLuccia

Convergence Risk: Google Chrome and Extensions, at BlackHat 2011

Interesting quotes from guys that demonstrated attack vectors in Google’s Chrome during Blackhat 2011:

“The software security model we’ve been dealing with for decades now has been reframed,” Johansen said.  “It’s moved into the cloud and if you’re logged into bank, social network and email accounts, why do I care what’s stored in your hard drive?”

  • An important illumination regarding the shifting of the risk landscape.  How the user interfaces with data and the system has changed and challenges the current technology controls relied upon to safeguard the intellectual property.
  • What is the effective rate of end-point security (malware / phishing agents, anti-virus) on this new user case?
  • What is being deployed and effective – policy, procedure, technology, a hybrid?

“While the Chrome browser has a sandboxing security feature to prevent an attack from accessing critical system processes, Chrome extensions are an exception to the rule. They can communicate among each other, making it fairly easy for an attacker to jump from a flawed extension to steal data from a secure extension.”

  • Speaks to the issue of convergence of apps that are emerging on iPhones, Androids, respective tablets, TVs, browsers, operating systems, etc…  Similar to the fragmentation attacks of the past – where packets would be innocent separate, but when all received they would reform to something capable of malicious activity.

Interesting extension of risk here is that the platform and / or devices may be trusted and accepted by enterprises, but it is these Apps / Widgets / Extensions that are creating the security scenarios.  This requires a policy and process for understanding the state of these platforms (platforms here including all mobile devices, browsers, and similar App-Loadable environments) beyond the gold configuration build.

Another article on the Google Chrome extension risk described above.

Thoughts?

James DeLuccia

Joseph Black, ex-CIA, spoke on cyberwar and the future at Blackhat

Joseph Black a counter-terrorism expert spoke at Blackhat on Cyberwar and the challenges of communicating the threats to leadership.  A few core highlights of that talk:

“…toughest thing about predicting terrorist attacks was getting people in power to take the predictions seriously and to do something about it.”

  •  Similar challenges exist within business organizations where risk landscapes may be incomplete or lack linkages across the enterprise’s business elements and information security programs.
  • The media attention to data breaches though may create clarity on this threat.

“Validation of threats will come into your world,” Black said. “There is a delay to that validation. This is the greatest issue you are going to face.”

  • Meaning it will occur, but definitive examples and “reasons for deterrence” will not arise until it has already occurred.  So appropriate to begin maturing the minimization and management of valuable data and the incident response capabilities…

“…We are moving from the Cold War to ‘code war.'”

  • A code war yes for governments, but the driver for business leaders is the notion around businesses and nation states stealing intellectual property (which is defined loosely and inaccurately by many) to create competitive alternatives OR to bolster local quality of life for a unit of people.

There are interesting public examples where digital attacks created an advantage for an attacking force, and achieved the results that would have required military kinetic force.  Two examples include the hacking of Syria’s radar software in 2007 that allowed for the bombing of a nuclear reactor (Syrian radar screens were made blank), and Stuxnet that caused the centrifuges to spin aggressively while displaying readings to operators showing normal operation (this caused a multi-year negative impact to these plants).

“…the problem with cyber warfare is the “false flag,” where countries responsible for cyber attacks will be able to plausibly deny responsibility or otherwise shift the blame to a rogue element.”

  • Attribution challenges make kinetic responses highly susceptible to trickery / fraud.

The seriousness and sophistication of attack, motivation, and intent against organizations is palpable.  The next few years equal sophistication must be applied to deterrence and management of information security.

Other thoughts, research, insights?

– James DeLuccia

Wireless Insecurity … a near constant state: RFID, Bluetooth, 802.11

The securing of information assets is the core to ensuring operational integrity for every business, and is supported by security and compliance safeguards.  The near constant stream of innovation over the past 10 years has provided near ubiquitous wire(less) connectivity to an abundant number of devices.  Matched equally to this innovation and connectivity is the transportability of data.  Of course the data must be transported and portable; however, it must be done in a manner that supports the organization’s entire strategic objectives.
The reality of wireless technology has reached a crescendo with regards to WIFI / 802.11 within the payment card industry where encryption and two factor authentication was required to leverage these technologies.  Due to a number of data breaches (presumably), specific wireless technology is being banned from the payment card network.  Guidance on the wireless guidelines may be found here.
These lessons – that wireless technology can be eavesdropped; that the data can float literally anywhere (for confirmation turn on your wireless network card on an airplane and fire up a DHCP gateway application); that the only way to secure it is through strong crypto and TWO factor authentication.  All of these seem clear, but the last one should be elaborated on to understand that risks of Bluetooth and RFID.
2 Factor authentication beyond ensuring the identity of the individual provides a far more important safeguard – that the user intended to make a connection and goes through the handshake process.  This does not exist in these other technologies, and creates a great deal of risk to the users of these systems.
To provide specific context to why Bluetooth and RFID are risky business without proper safeguards consider the following:

  • Bruce Scheiener’s post on how passport RFID is dangerous and susceptible to attacks.  Here is a Wired article with more details.
  • DefCon radio scanners “read” and “recorded” the information off of security badges from the attendees.  This is the most security conscious / paranoid group that you can assemble, and this scanner caught unsecured badges.
  • When attending it is near unanimous that all wireless radios should be disabled
  • The data on these RFID type devices contains things as simple as identifiers to full names and departments.

(iphone focus of post, but applicable to all such capable devices) prior to getting on a plane TO Blackhat / DefCon.  The reason is simple: it is near certain that someone is running a scanner.

In the end these technologies do provide essential functions, but should cautiously deployed where security can be ensured and is tested properly.  Care should be given to the information applied to these transmitting devices.
NIST has a nice document here (800-98)

Other recommendations?

James DeLuccia