Saturday, March 28, 2015

Justification for Your Paranoia

It's one of those weeks... Rather than spend more time trying to stop my mother-in-law and grandmother-in-law from listening to tales of upcoming financial ruin from shysters trying to sell their latest nonsensical book, how about I take some time to write about more crazy things in the security world...

1) Keeping your phone from acting on its own...
I often say that I want my devices "to do exactly what I tell them to, only what I tell them to, and nothing more." While there is an argument to be made for the convenience of allowing your phone or computer to detect and make inferences about your current location or situation and immediately launch applications or tools that may be relevant to that situation or of having certain applications and bootstrappers running in the background, allowing computers this kind of autonomy is exactly what allows most malware to exist and operate undetected. I have a background in scripting and automation, and, again, it is wonderful to be able to kick off a script and then walk away and let the computer handle what would otherwise be an hour-long manual task, but those kinds of scripts are something you expressly launch and give permissions to each time they are needed.
As mobile phones increase in functionality, these devices also are becoming easy targets for malicious activities. Even the best informed users can not guarantee that every app they download and install is free of malicious payloads. Once on the user's phone, malware can potentially access the smartphone’s resources to learn sensitive information about the user, activate the camera to spy on the user, make premium-rate phone calls without the user’s knowledge, or use a NFC reader to scan for physical credit cards within its vicinity.
So what if the phone could distinguish between when a human user tells it to launch a tool or service, versus when an application tells it to do so? 
A study presented at this week's IEEE Conference on Pervasive Computing by members of the University of Alabama's SPIES program explains how natural hand gestures associated with three primary smartphone services—calling, snapping and tapping—can be detected and have the ability to withstand attacks using motion, position and ambient sensors available on most smartphones as well as machine learning classifiers. If a human user attempts to access a service, the gesture would be present and access will be allowed. In contrast, if a malware program makes an access request, the gesture will be missing and access will be blocked.
To demonstrate the effectiveness of this approach, researchers collected data from multiple phone models and multiple users in real-life or near real-life scenarios, simulating benign settings and adversarial scenarios. The results showed that the three gestures can be detected with a high overall accuracy and can be distinguished from one another and from other benign or malicious activities to create a viable malware defense.
“In this method, something as simple as a human gesture can solve a very complex problem,” Nitesh Saxena (director of SPIES) said. “It turns the phone’s weakest security component—the user—into its strongest defender.”
 2) Measuring password strength?
These days, the red/yellow/green bar that rates a password's strength is almost as familiar as the prompt to create that password. But when those meters give the go-ahead to passwords like "Password1!", their effectiveness is seriously called into question.

Mohammad Mannan at Concordia University sent millions of sucky passwords through meters used by several high-traffic web service providers including Google, Yahoo!, Dropbox, Twitter, and Skype. He and collegues also tested some of the meters found in password managers, allegedly designed with the relevant expertise. 
"We found the outcomes to be highly inconsistent. What was strong on one site would be weak on another," says Mannan. "These weaknesses and inconsistencies may confuse users in choosing a stronger password, and thus may weaken the purpose of these meters. But on the other hand, our findings may help design better meters, and possibly make them an effective tool in the long run."
On the plus side, they also revealed some decent password checkers out there. Dropbox's rather simple (and open-source) checker is quite effective in analyzing passwords, and is possibly a step towards the right direction. At the very least, it does dictionary checks and automatically flags passwords that include recognizable words.
If you are just trying to create a decent password for a website you use and do not want to open a Dropbox account or check out their code to do so, there are a few other decent sources out there. My two favorites are:
Howsecureismypassword: This one provides a calculation based on length and complexity of how long it would take to brute-force your password, and also highlights common mistakes you may have made, such as using recognizable words, using common patterns, or excluding certain character sets. As an added bonus, for those of you who want to share everything on social media, it lets you tweet a picture of your results (but not your password) to your friends so you can brag about it (or paint a target on your forehead). Hint: the time estimates are based on a standard laptop, to avoid getting pwned by a hacker with a dedicated password cracking machine, you want the number to be in the Millions of years or better.
Passwordmeter provides more detailed feedback, giving you a weighted breakdown of your password's complexity based on length, character set, and whether or not you have things like repeated characters, sequential number, or consecutive characters of the same type. It does not do dictionary checks, and will still rate passwords like "1234Password" as "very strong", but the things it does highlight are quite useful. Hint: if anything gets flagged as orange (warning) or red (failure) by this tool, you should definitely fix it.

3) Stealing your data with Heat.
Air-gapping is one of the simplest yet strongest defenses against network-borne threats--simply put, don't plug the computer into a network, and, if possible, physically isolate it. But even unplugging the network cable cannot offer perfect protection from network-borne threats. 
Researchers from the Cyber Security Research Center at Israel’s Ben-Gurion University (BGU) have shown how even two air-gapped systems can be breached using only the heat they generate and their in-built thermal sensors to establish a covert communication channel. The method, dubbed BitWhisper, is part of ongoing research on air gap security. Last August, security researchers at the university demonstrated another method called AirHopper, in which they showed how it is possible for someone to surreptitiously extract data from a system using FM waves.
What makes BitWhisper different from other air gap research is the fact that this is the first time that researchers have been able to establish a bi-directional communication channel between two air-gapped systems. Also important is the fact the method that was demonstrated does not involve the use of specialized hardware or peripherals. There are some caveats to keep in mind: for the method to be effective, the air-gapped computers have to be in close proximity to each other. The computers used to demonstrate BitWhisper for instance, were separated by just 15 inches.
Both computers also had specialized malware installed on them that was capable of hooking into the thermal sensors on the systems and also of increasing the heat generated by the computers in a controlled manner. The heat-based communication protocol demonstrated by the researchers supports a data transfer rate of a mere 8-bits per hour. So the method is unlikely of much use for stealing data in volume from air-gapped systems, but it is an effective way to hack into an air-gapped network, transmit commands to it, and to steal passwords, secret keys, and similar data. It can also enable attackers to remotely command and control an air-gapped system.
According to the research paper: "By regulating the heating patterns, binary data is modulated into thermal signals.In turn, the adjacent PC uses its built-in thermal sensors to measure the environmental changes. These changes are then sampled, processed, and demodulated into binary data. Once a bridging attempt is successful, a logical link can be established between the air-gapped internal system and the public network. At this stage, the attacker can communicate with the formerly isolated network, issuing commands and receiving responses."
Here is a video of their prototype. Warning...it's kindof boring (because, as they said, 8 bits per hour...)

4) This is just asking for an enterprising burglar to hack it...
Seriously...they're everywhere.
Self-service key making kiosks have stared popping up all over the place. They're proliferating, and there is probably one at a store near you. In theory, these services (such as FastKeyMinuteKey, or KeyMe) are really convenient. They can all duplicate a variety of keys, sometimes with awesome designs.
However, KeyMe is particularly interesting because it has a feature that’s a boon for absent-minded people but a possible security nightmare: users can store keys either using their nearest kiosk, or by taking a picture of their key with the mobile app and ordering up a replacement through the mail. 
That's right...you can take a picture of your key and have someone make a copy remotely. Or you can store a digital image of your key in the kiosk, to have copies made at any time.
Now...if someone just happened to hack the kiosk...suddenly they could have keys to all sorts of interesting places...