RSS

Category Archives: RISK

How to follow me, well my car at least…

15 Aug

Conspiracy theorist ready your tin hats!

I’ve taken to listening to podcast instead of music while running and heard some interesting news that encouraged me to rush back to my computer this morning and do some research.

History: Most of you will remember the Firestone tire recall from 1990 where more than 100 deaths were attributed to tire separation which was due to over inflation of the tire.  In response to this, the Clinton Administration passed the TREAD act.  One of the key provisions of this act was that all cars sold after Sept 1 2007 have installed TPMS (Tire Pressure Monitoring Systems) which would give the driver near real time information on the status of tire pressure.  The information is fed back to your cars ECU (“computer”) which would presumably know the optimum pressure for your factory tires and warn you of over/under inflation.

If you don’t know how these work, these are small devices which are stuck to the inside of your rim with a small RF sensor that is run by a small watch battery (see image at right).  The information is not real time, it is sent periodically (60-90 second intervals) to your cars computer.  However your computer is always “listening” for input from these devices.

The news around this is that researchers from Rutgers University have published a press release that they are going to discuss the dangers of spoofing these devices in order to gain access to the computer possibly able to cause issues for the driver or the vehicles control systems.  The crux of the issue is that these devices have short (relatively) 32 bit IDs with no encryption between the tag (sensor) and the control unit.  According to the researchers the protocol is also quite simple and easy to spoof.  They will (presumably) demonstrate this week how they can send/receive signals from these units up to 40 meters away.

So let’s put a privacy spin on this (ready your tin hats!).

  1. The sensors have a broadcast range of roughly 40 meters
  2. The IDs are easily spoof able (and easily identified)
  3. There isn’t any encryption
  4. The protocol is simple
  5. Broadcasts occur in timed increments (60-90 seconds)

So do you want to follow me?  You could.  Building a single sensor that would read the ID from one (or all) of my TPMS would be quite simple.  Place it in a location where I’m going 1.5 MPH or less (rough math using 40 meter coverage and a 60 second window) and you have a reasonable chance of being able to authenticate my presence, or at least my car’s presence, at that location.  Granted you or I have a small issue here, the ability to do this on any scale that would be effective.  If you wanted to cover a large area or a large number of people, this would be quite an undertaking.  But if you are a government and control the local infrastructure of a municipality, you have quite an opportunity here.

Related Articles
 
Leave a comment

Posted by on August 15, 2010 in RISK, Security, Technology, Wifi

 

Tags: , , , , , , , , , , ,

Android and iPhone exploits revealed in past week

04 Aug

Over the weekend, a new Web-based jailbreak became available for iOS devices, offering users a simple method to open their devices to installation of unauthorized third-party applications.  An error in the processing of Compact Font Format (CFF) data within PDF files can be exploited to execute arbitrary code e.g. when a user visits a specially crafted web page using Mobile Safari.

This is applicable to any iOS 4 device (all new iPhone 4s, iPads and any upgraded iPhone 3G and 3Gs).  On of the main features of iOS 4 was the SandBoxing approach to applications.  This exploit bypasses the SandBoxing by exploiting a third party app.  I have to say this doesn’t help Adobe’s popularity in Cupertino.

Time will tell if Apple will release a patch to iOS to resolve the issue or if Adobe will have to update their code.  For the time being, the best advice is to browse “safely” (if that’s really possible anymore) or just not browse at all.

The Andriod exploit has a completely different twist on it.  Spider Labs released a DVD at Defcon last week that provided a method to root the device.  Once the exploit is applied the Android device acts as a bot for the hacker who has full remote-control over the device providing access to all the user information on it.  What makes this more interesting is that Spider Labs is an ethical hacking team using this approach to incentivize manufacturer to provide  a fix to the issue more quickly.

“It wasn’t difficult to build,” said Nicholas Percoco, head of Spider Labs, who along with a colleague, released the tool at the Defcon hacker’s conference in Las Vegas on Friday.  Percoco said it took the team about two weeks to build the malicious software.

CNET reported that there were ten companies had data compromised.  The list included Pepsi, Coca-Cola, Apple, and Google amongst others.  All information was solicited through one phone call to an employee of the company.

************** UPDATE Aug 5th **********************

CNET has posted that Apple has acknowledged the issue and already have a fix.  They did not mention when it would be released but a software update is imminent.

************** UPDATE Aug 11th *********************

Apple has released iOS 4.0.2 for iPhone and iTouch as well as iOS 3.2.2 for the iPad to address this vulnerability.  Of course the a side effect to addressing this vulnerability is that it now breaks the functionality of JailbreakMe 2.0.  Not that this should be a surprise.

 
Leave a comment

Posted by on August 4, 2010 in Android, Apple, crimeware, iPad, iPhone, iPhone HD, malware, mobile, passwords, RISK, Security, Technology

 

Tags: , , , , , ,

The Broken Window Theory applied to Information Security

28 Jul
An observer could peer straight through the bu...

Image via Wikipedia

The Broken Window Theory has two popular accepted approaches to it’s application.

The original was an economic theory proposed in the 1850s.  Essentially it stated that even something bad that happens (e.g. the breaking of a window) has a positive effect on the economics of a society (need to create another window and employee someone to install it).

There is a more contemporary theory that is focused on criminology originally proposed in the March 1982 edition of The Atlantic Monthly.  It basically states that, if a few broken windows go un-repaired, then from that there is a higher propensity for other windows to be broken.  From that, there is even more chance that other nefarious activities will be more prevalent in that location.

I’m going to take a leap here and compare the second theory with Information Security and reducing risk.

According to the theory, there are three factors that support why the condition of the environment affects crime (and the opportunity for crime):

  • social norms and conformity
  • the presence or lack of monitoring, and
  • social signalling and signal crime

In this first part, I’ll use Information Security examples to explain these factors:

Whether intentionally or not, the policies we create and enforce will affect the social norms of our computing environments.  If you do not enforce the needs of proper patch management or secure coding, you create a social norm where it is implicitly acceptable to not follow those policies.  Social norms tell us that people will do as the group does and will monitor others to make sure they act in the same manner.  If this holds true, then here inlines the answer to many departments problem.  Make sure you have a policy, it’s well enforced and communicated to your end users, and the end users will help expand your monitoring capabilities to ensure they are being followed.  Seems too simple right?

The second factor is the presence of monitoring.  Because of the nature of our environments, it’s not always possible for people to get feedback from those around them and you cannot rely on (or even expect) to have any norms being transmitted from others.  In this case, you turn to your tools.  Even though you may have created and communicated the appropriate policies, now you need some technical controls in place to enforce them.

These technical controls are the third factor (signals) that indicate to the end users that they are (or are not) compliant with their activities.  So add accurate, timely, and visible monitoring to your list.

The other key component to take away from the Broken Window’s theory is that addressing problems when they are small will give you the opportunity for easy, less expensive fixes to problems.  A sound Risk Management methodology would tell you that Addressing issues like patch management, policy violations, secure coding practices earlier, are less costly and less difficult than addressing them after they have been exploited and you are now dealing with a breach or data loss.

Sadly, the early economic theory of Broken Windows would state that all these things are good.  If a breach occurs many people will be employed conducting the investigation and doing research.  I feel I can confidently say that the business we own or work for would not be satisfied with us following that theory.  It would be far more acceptable to accept the social/criminology theory and begin to remediate many of our issues before they become larger problems.

 
Leave a comment

Posted by on July 28, 2010 in RISK, Security, social engineering

 

Tags: , , , , ,

Older posts
Newer posts