There were many security-related events that made the top of the news cycle in 2017. As we start the new year, we want our readers to know which ones we think were the most important and why you should think about their implications in the year ahead.
Let’s check them out.
The Mercedes Automobile “Relay” Attack
Over the years, there had been a number of theoretical and actual security attacks against vehicles. But in 2017, Mercedes found itself vulnerable to a remote relay attack that allowed criminals to “extend” the range of a key fob to unlock a car, an especially scary form of thievery.
In a relay attack, an electronic device is held near the car while another is held near the key fob. The unlocking signal is “pulled” from the key fob and then wirelessly sent to the device near the car, which then broadcasts it to the car, allowing it to unlock. With a keyless start option, the thief can easily drive off as the broadcast device continues to emulate the key fob during a ride.
Mercedes doesn’t yet appear to have an answer to this vulnerability, though authorities recommend placing key fobs in a metal box, RFID-damping bag, or a similar Faraday cage-type device.
This particular attack is noteworthy in that it is the first time it has been caught on camera, “in the wild,” and not by a security researcher. In 2018, these types of attacks could become more common as the price for the components continues to drop, allowing criminals easier access to the components necessary to implement these attacks.
This is a common problem for devices of this type, whether car keys or RFID-based, yet manufacturers have been slow to respond to these type of vulnerabilities. It is a trade off between security and convenience, and in consumer-oriented products, convenience seems to win every time.
Uber Data Hack
Uber revealed hackers stole information about 57 million driver and passenger accounts in 2016. What made the story worse was that Uber admitted to paying the attackers a ransom of $100,000 to prevent release of the data, as well as not disclosing the attack nor the ransom.
When Uber learned of the hack, also had the hackers sign non-disclosure agreements to not discuss the attack. In addition, Uber hid the attack and ransom as payment for a bug bounty, which is normally used to pay security researchers who find vulnerabilities. Not only was this a violation of users and drivers’ trust in how the company cared for personally identifiable information, it was also a business ethics violation in hiding it from shareholders.
The Chief Security Officer who arranged the deal was subsequently fired, and the CEO was removed from his position later for this, and other, issues within the company. The only reason the attack came to light was because of an investigation by the board of directors after the CEO stepped down.
While Uber violated ethics issues, put users at risk of identity theft, and possibly violated federal and state laws, there is also no guarantee that the hackers actually deleted the information after the ransom was paid. With digital data, there is no way to ensure it wasn’t copied first; it’s entirely possible that the information will find its way to the Internet in the future.
Mozilla’s Product Security List
In addition to making the Firefox browser, the Mozilla organization also advocates for online privacy and security. In light of this, Mozilla published an article in 2017 talking about popular Internet-connected devices and the security implications of their use.
The primary goal of the article and the release of the list was to empower users. A survey conducted by Mozilla indicated a large portion of people simply don’t know much about Internet security, particularly for connected devices. Privacy and security were listed last when asked about shopping criteria when comparing devices. As user education can only do so much, Mozilla decided to review products and see how they rated in terms of privacy and security.
The products reviewed include toys, game consoles, home hubs, smart-home devices, health and exercise devices, and general “gadgets.” For example, Adidas has a smart soccer ball that is linked to a mobile app via Bluetooth. While it can help improve your game, the app has the ability to use your device’s camera and microphone as well as track your location. The app also requires you to make an account with Adidas but it does not include privacy controls, though you are able to delete your account if you desire.
Moving forward in 2018, the convenience of connected devices has to be weighed against the security and privacy lost by using them. This is especially important when it comes to items for children, as they grow up in a world where “spying” on them is normal.
Website Session-Replay Scripts
Data analytics on websites track the pages you visit, how long you stayed, and what search terms you use. This is good for companies seeking to understand the behavior of their users and learning how to provide them more content they enjoyed. But Session-replay scripts improve on this by actively recording your keystrokes, mouse movements, and even the contents of the pages you visit.
This data collection goes beyond normal, aggregated data to see how users interact with websites to improve performance. With session-replay, your actual interaction is recorded, much like a malicious key logger. As such, even with an encrypted session to a web server (which would prevent eavesdroppers from outside the session), session-replay scripts can capture confidential information, such as banking credentials, health information, etc.
While services exist to automatically “scrub” sensitive information from the recorded sessions that is identified as user input, it still requires companies to check web pages for user information. In addition, any updates to the site means another check for potential leaks.
In short, while replay scripts allow granular analytics for site publishers and controls are in place to reduce data spillage, there is still the potential for accidental data capture of private information.
There are several browser plugins or other software people can use to help maintain privacy in the new year. Privacy Badger, from the Electronic Frontier Foundation, helps block spying ads and trackers. Ghostery looks at embedded trackers and allows the user to determine which ones, if any, can run. uBlock Origin is a content filter, as well as an ad-blocker, which can be optimized per-site, if desired. NoScript allows the user to selectively block web scripts from running within a browser; while powerful, it does take some effort to customize, as it blocks all script by default, which can break site functionality.
Amazon Key Service
Amazon launched a delivery service in October, Amazon Key, that purports to eliminate the problem of people stealing Amazon deliveries from your doorstep. As part of the service, Amazon delivery members are allowed access inside your house to drop off packages; a smart lock allows the delivery person to enter a code that unlocks the door, while a cloud-connected camera allows monitoring of the delivery.
The problem, however, is that the cloud-camera’s security can be compromised with a simple application on a device within WiFi-range of the camera. The application can not only disable the camera, but also freeze the image. Much like Hollywood movies depicting a thief looping a camera feed to security guards, this attack allows someone unfettered access to your house.
Briefly, the attack starts when the delivery person unlocks the house and delivers “the package.” Rather than re-locking the house with the Key app, the individual instead launches the malicious application to kick the camera off the WiFi network, showing only the last image taken. Since the image would be a closed door, as long as the application is running, the individual can then re-enter the house and do anything desired without any video evidence.
While Amazon has released a patch to fix the problem, the easiest way around it is to simply not allow strangers access to your home when you aren’t there. There are a number of drop-boxes available on Amazon itself, as well as from other locations. Amazon also offers Amazon Locker, where your package is placed in a locked container and you receive the combination to access.
Of course, this probably isn’t the only vulnerability that will be found with this technology; any cloud-enabled product is only as secure as the hosting company claims, and with something like this, spoofing the software doesn’t take too much. It’s in Amazon’s interests to ensure this works well, but there are easier, and cheaper, ways to deal with packages getting stolen off your porch.
Avoid Getting Hacked
Motherboard, part of the Vice network of sites, maintains a guide to digital security. The latest edition (updated in November) provides a lot of information on online security and privacy, aimed at non-technical users. The guide is updated on a regular basis, adding new threats and vulnerabilities but written with the average consumer in mind; you don’t have to be an IT person, much less an information security professional, to understand it. Consider it a primer of cyber security; a good place to start this year if you don’t know much about the subject but not so overwhelming that you’ll get frustrated.
The guide starts out with basics, such as threat modeling (a.k.a. risk management), software patching, password management, and multi-factor authentication, followed by a section of general do’s and don’ts.
After this is a section focusing on mobile security, comparing the different cell phone operating systems, as well as talking about SIM card security. Following this is a discussion about privacy and counter-surveillance.
While the privacy section initially focuses on state surveillance and privacy from the government, it also talks about social media use, secure chat, VPNs, the Tor browser, encryption, and other topics.
The article finishes up with information about credit card use and noting that physical interactions are still the preferred way to have secure communications. Finally, special notes are provided for journalists, as they have special situations from the average user.
While it isn’t all-inclusive, Motherboard’s article does a great job of explaining the current world of security and privacy, and is a good starting point for anyone interested in the basics, as well as learning more about information security.
MacOS Root Password Bug
Apple’s latest operating system for Mac computers was found to have a flaw last month.
The bug allowed anyone to become an administrative user without entering a password. While Apple has subsequently released a patch for this, not everyone updates their systems on a regular basis, which could lead to some systems being vulnerable even now…
The flaw could be accessed simply by opening System Preferences, switching to Users & Groups, and then clicking the lock to make changes. By typing “root” as the login name but leaving the password field blank, hitting the Enter key several times would eventually cause the system to log someone is at admin without a password.
While normally not available remotely, if a user had Screen Sharing enabled on the computer, a remote use could apply the exploit. Even if the root account was initially disabled, simply by using the exploit, the root account would become re-enabled.
A workaround was discovered to fix this bug. Easily enough, it could be defeated by changing the root password. However, it did take Apple 12 days to release a patch for the problem, so unless a user knew to change the root password, they were vulnerable for nearly two weeks.
Every time an operating system is updated, or even an application, there is the chance that the update opens up a new vulnerability or breaks existing security features. This is one reason why large companies will test updates for days or weeks before implementing them. It’s also a reason why Long Term Support (LTS) releases of operating systems exist; it’s easier to secure a stable platform and apply minor patches than constantly trying to look for new bugs and vulnerabilities every six months.
Politicians Sharing Passwords
A British Member of Parliament was forced to resign after porn was found on his work computer. In his defense, another MP indicated it is common for staff to share passwords on computers, so it is possible that someone else had downloaded the porn to the computer.
Obviously, sharing passwords is a security hazard and, as the British are finding, also a privacy issue. Not keeping passwords secret defeats any attempt at accountability and information integrity. It also means that someone could do “bad things” with your account, and since there is no other information available, you are the only one held accountable.
This is easily alleviated through technology by delegating authority for certain actions electronically, such as receiving and responding to email. Collaborative tools, such as SharePoint, have been around for decades and can provide access to a single document to multiple users. There are even applications that allow simultaneous access.
In addition to security and privacy implications, sharing passwords is frequently a violation of User Agreements and can lead to job ramifications, such as being fired.
Web Site Hardening
Web sites rely almost entirely on scripts nowadays to perform everything from populating a template to capturing user input. Cross-site scripting (XSS) attacks rely on browsers automatically running scripts; simply put, XSS injects scripts into browsers that access normally trusted sites.
Hashes can be used for inline scripts. That way, instead of linking directly to a script file, the hash identifies the correct file to execute and any modification of it will error out. When the browser sees the script block, it will hash it and compare it to the authorized hash digest. If it matches, the script is executed. Otherwise, the script is ignored.
There are other ways to harden a website, but ultimately it comes down to going against the standard and not running every script that is presented on the site.
Google conducted a study to see how account hijackers actually take over accounts in the wild. By tracking several password-trading black markets, it was discovered that, of the passwords available, < 1 million were captured via keyloggers, 12 million via phishing attacks, and 3.3 billion came from third-party data breaches.
Of third-party breaches, 12% exposed both a Gmail account and associated password; of those, 7% had the password reused on other accounts. For keyloggers and phishing attacks, they successfully captured a password <25% of the time.
However, due to improved security procedures, approximately 80% of phishing tools and keyloggers collected a user’s IP address and physical location. Another 18% collected phone numbers and device information for mobile devices.
The key takeaway from this is that phishing attacks are the most successful at capturing credentials, followed by keyloggers and third-party breaches. Hence, users need to be more cognizant of email notifications and, rather than directly clicking links included in emails, access sites by typing in the address in their browser. This eliminates the possibility of being routed to a malicious site via invalid links.