Friday, August 22, 2014

Justification for Your Paranoia

Here is your friendly aggregation of computer security news from the last tenday.

1.  One of my favorite movies was just proven to be a lot more plausible:
If you've never seen the 2003 remake of The Italian Job. Back in college one thing I found particularly compelling about the movie was when the character Lyle, a.k.a. "Napster" (played by Seth Green), hacks a city's traffic control system to change all of the lights in his favor during the final chase seen. Every aggressive driver's dream right? Well, some researchers in the CS department at the University of Michigan just proved that it is terrifyingly easy to hack traffic lights. In the paper they describe how they very simply and very quickly seized control of an entire system of almost 100 intersections in an unnamed Michigan city from a single ingress point.
Of course, they also point out that the 5.8GHz and 900MHz wireless systems over which the lights communicate support WPA2 encryption (as well as the older WEP and WPA standards). Of course, that would require that the people implementing them actually use such.
2. Shared memory on your mobile phone can be used to hack a wide variety of apps:
In a paper being presented at the USENIX security symposium today, some researchers from UC Riverside will be showing off how to use shared memory (a common feature of all operating systems) and other side channels on a mobile device to hijack apps as they are running. They were nice enough to provide some helpful video demos for those of us unable to attend the conference.
"Oh no!" you say. Don't panic yet. This, like so many other attacks on mobile systems, requires that you have malicious software installed on the phone to be hacked. Of course, its easy to get said malicious software onto your phone (any kind of app can have something else hidden in it). What do you do about it? Just don't download any App that you are not 100% sure where its coming from. As if that was not already obvious.

3. There have been a couple of big hacks/data breaches lately that you might want to be concerned about:
First, Tennessee-based Community Health Systems (CHS) says that intruders accessed its system over a three-month period earlier this year, compromising patient names, addresses, and Social Security numbers (SSNs) of 4.5 million people. CHS operates more than 200 hospitals in 29 US states. A report submitted to the SEC claims that the attackers (purportedly China) were attempting to get information on the development of new medical devices. This is what comes of not patching Heartbleed. On the plus side, this is a drop in the bucket compared to the 140 million users leaked by eBay this year. 
UPS has reported credit-card stealing malware on systems in 51 stores in 24 states. While this is only 1% of their locations, if you happen to use UPS regularly and are in the affected areas, you may want to pay attention to your card statements. Similar attacks also happened at 180 grocery stores owned by SuperValu. Similar point of sale hacks at Target and other retailers have resulted in more than a billion such user data leaks lately.
4. The HTTP Shaming tumblr is using public shaming to encourage better website encryption:
Public shaming has always been used as an effective means of social control. A Tumblr blog called HTTP Shaming posts a list of apps and services that do not take sufficient measures to protect user data. The site's creator hopes that making this information known will prompt companies to encrypt data sent over wireless networks. The number of apps and services on the list currently stands at 19. If a case is deemed especially serious, it is not posted until the organization responsible for it is contacted so they can mitigate the problem. 
5.  Because everyone needs an onion router in their pocket:
For everyone who cares about anonymity (which is surprisingly few of us these days). A few new toys got some spotlight time at DEF CON this year. These personalized onion routers fit in your pocket and automatically route all traffic from your machine through the TOR network. The one being showed off was the Personal Onion Router To Assure Liberty, a.k.a. PORTAL (pdf of the detailed OPSEC presentation here), but there are a number of similar devices out there, including Safeplug (a consumer version with family-friendly marketing) and Onion Pi (a Raspberry Pi based TOR appliance).
Go get one.