Thursday, July 24, 2014

Justification for Your Paranoia

Here is your latest dose of details on how insecure your data really is...
warning, I'm in a snarky mood today...

1. Hotel business center computers are easily compromised *GASP*:
The US Secret Service recently sent out an industry-only announcement about key-logging software found on workstation computers in a hotel business center in Texas. Reports indicate that the folks who installed this particular malware got basically everything they could ever want e-mailed to them (personally identifiable information, e-mail accounts, bank accounts, credit card numbers, login credentials, etc.). 
The real question is, who would use a public computer to log in to anything valuable? Seriously people, ITS A PUBLIC COMPUTER. If anyone in the hotel industry or any consumer was surprised that this happened, they probably deserve to be hacked. These kind of business centers may be ubiquitous, but the prevalence of mobile devices, tablets, and laptops make them completely unnecessary.
2.  Bank security systems have as many holes as Swiss cheese...
In yet another great example of two-factor authentication not really helping, Operation Emmental (yep, Swiss cheese) was a well-orchestrated attack on many European banks. Users would receive a fake e-mail that would install a malware which replaced their SSL certificates with fakes, changed the devices DNS settings, then uninstalled itself (pretty minor really). The end result though, is that the hackers could then intercept 2FA session tokens sent via SMS and reroute them.
More and more of these kind of attacks keep showing up, making 2FA users no more secure than those of you who don't. At least those that use single session tokens. Time for a new plan...
 3. In other internet-of-things news...You can hack a Tesla:
A team of Chinese collegiate hackers attending a conference in Beijing succeeded in breaking into the software used in Tesla Model S electric cars. The vulnerability enabled attackers to remotely unlock the vehicle, sound the horn, flash the lights, and open the sunroof while the car was in motion. It is similar to another Tesla security flaw found in April that let an attacker track the location of and unlock the doors on a Model S.
Before you go saying bad things about Tesla, keep in mind that software in Ford vehicles and the Toyota Prius were also hacked as part of a competition last year.
4. Even more reasons not to use an iPhone:
Some security researchers have identified a number of backdoors in iOS devices (iPhones, iPads, etc.) that can expose your personal data. The report points out that Apple can extract active data even from password locked devices, including SMS, photos, videos, contacts, audio recordings, location information, and call history. 
Since the report came out Apple has publicly documented the vulnerable services, but claims that they are necessary diagnostic tools. The identified services include a packet sniffer, a file downloader that can bypass encryption, and a tool called, interestingly "com.apple.mobile.house_arrest". Whether Apple support needs these tools for "diagnostics" or not, they are the very definition of a backdoor.
5.  Your Android phone isn't much better:
Researchers at Cornell have demonstrated how to use Google Voice Search on an otherwise locked Android phone to forge SMS/Email, access privacy information, transmit sensitive data and achieve remote control of the device. They also showed that they can use an installed mobile app with zero permissions to trigger GVS and then play a prerecorded audio file (like "call ###-####") in the background without the user doing anything.
Note, you can disable Google Voice Search by going to Settings→Application Manager→All, scroll down to Google Text to Speech, and "Clear data and disable".