Back in 2010, I described what I called the ‘first rule of the internet‘:
Against a sophisticated attacker, nothing connected to the internet is secure.
To this, I feel like I should add a second item:
Everything is internet now.
While there were once large numbers of electronic systems entirely disconnected from the internet, nowadays virtually everything is either connected to the internet constantly or occasionally connected to a device that is online. Your cell phone is probably always accessible to a sophisticated attacker using the internet, and the same is probably true for landlines using VoIP. Many of your computers are probably constantly connected to wireless networks (themselves targets for attack) and exposed to the wider internet through your broadband connection at all times.
Web integration with computers has reached the point that Google’s Chrome browser now treats ‘search’ and ‘GMail’ as apps within the Chrome environment.
The implication of combining the first and second rules is pretty plain. If you manage to attract the attention of a sophisticated attacker, they can probably get into the contents of your cell phone and your GMail account, as well as the hard drive of your PC and laptop, the ubiquitous webcams now built into computers, and so on. There is also a good chance they can take over your email, websites, Twitter accounts, and the like and use them for their own purposes.
{ 11 comments… read them below or add one }
Defending Your Cellphone Against Malware
“Kate Murphy writes that as cellphones have gotten smarter, they have become less like phones and more like computers, and that with more than a million phones worldwide already hacked, technology experts expect breached, infiltrated or otherwise compromised cellphones to be the scourge of 2012. Cellphones are often loaded with even more personal information than PCs, so an undefended or carelessly operated phone can result in a breathtaking invasion of individual privacy as well as the potential for data corruption and outright theft. But there are a few common sense ways to protect yourself: Avoid free, unofficial versions of popular apps that often have malware hidden in the code, avoid using Wi-Fi in a Starbucks or airport which leaves you open to hackers, and be wary of apps that want permission to make phone calls, connect to the Internet or reveal your identity and location.”
Android Malware May Have Infected 5 Million Users
“A massive Android malware campaign may be responsible for duping as many as 5 million users into downloading the Android.Counterclan infection from the Google Android Market. The trojan collects the user’s personal information, modifies the home page, and displays unwanted advertisements. It is packaged in 13 different applications, some of which have been on the store for at least a month. Several of the malicious apps are still available on the Android Market as of 3 P.M. ET. Symantec has posted the full list of infected applications.”
Stealing Smartphone Crypto Keys Using Radio Waves
“Encryption keys on smartphones can be stolen via a technique using radio waves, says one of the world’s foremost crypto experts, Paul Kocher, whose firm Cryptography Research will demonstrate the hacking stunt with several types of smartphones at the upcoming RSA Conference in San Francisco next month.”
Death knocks. Phone hacks.
Yeah, phone hacks. So what? Everybody had been at it a few years before. What was the difference, in the end, between that and eavesdropping? And everyone eavesdropped. If you had nothing to hide, you had nothing to worry about. But so many of the politicians did seem to have something to hide. There must be some sort of self-destructive impulse that went along with the lust for glory.
Your encryption doesn’t work because you cannot keep a key safe. You can’t memorize a key that is long enough to be secure and as soon as you write it down electronically an attacker can gain access to it.
“Elsewhere, driven by the acceleration of computing power and connectivity and the simultaneous development of surveillance systems and tracking technologies, we are approaching a theoretical state of absolute information transparency, one in which ‘Orwellian’ scrutiny is no longer a strictly hierarchical, top-down activity, but to some extent a democratized one. As individuals steadily lose degrees of privacy, so to do corporations and states. Loss of traditional privacies may seem in the short term to be driven by issues of national security, but this may prove in time to be intrinsic to the nature of ubiquitous information.
Certain goals of the government’s Total (now Terrorist) Information Awareness initiative may eventually be realized simply by the evolution of the global information system – but not necessarily or exclusively for the benefit of the United States or any other government. This outcome may be an inevitable result of the migration to cyberspace of everything that we do with information.
Had Orwell known that computers were coming (out of Bletchley Park, oddly, a dilapidated English country house, home to the pioneering efforts of Alan Turing and other wartime code-breakers) he might have imagined a Ministry of Truth empowered by punch cards and vacuum tubes to better wring the last vestiges of freedom from the population of Oceania. But I doubt his story would have been very different. Would East Germany’s Stasi have been saved if its agents had been able to mouse away on PCs into the Nineties? The system would still have been crushed. It just wouldn’t have been under the weight of paper surveillance.”
Gibson, William. Distrust That Particular Flavor. p.168-9 (hardcover)
Tons of your data held by other people is vulnerable over the Internet now:
* medical records held on web-connected computers in clinics and hospitals
* call history information held by your phone company
* purchase and rental records from businesses
And so on.
Even if you never go online, plenty of private information about you is vulnerable to access by capable attackers.
The fuss erupted in January after media reports drew attention to how many of the party’s leading lights are being spied on, sometimes with clandestine methods. A lengthy file on Gregor Gysi, head of the Left’s parliamentary group, is blacked out where the data was gathered by state agencies using “intelligence methods”.
“A hard-to-detect piece of malware that doesn’t create any files on the affected systems was dropped onto the computers of visitors to popular news sites in Russia in a drive-by download attack, according to Kaspersky Lab. ‘What’s interesting about this particular attack is the type of malware that was installed in cases of successful exploitation: one that only lives in the computer’s memory. … It’s ideal to stop the infection in its early stages, because once this type of “fileless” malware gets loaded into memory and attaches itself to a trusted process, it’s much harder to detect by antivirus programs.‘”
TEDxMidAtlantic 2011 – Avi Rubin – All Your Devices Can Be Hacked
Wi-Fi Enabled Digital Cameras Easily Exploitable
“Users’ desire to share things online has influenced many markets, including the digital camera one. Newer cameras increasingly sport built-in Wi-Fi capabilities or allow users to add SD cards to achieve them in order to be able to upload and share photos and videos as soon as they take them. But, as proven by Daniel Mende and Pascal Turbing, security researchers with ERNW, these capabilities also have security flaws that can be easily exploited for turning these cameras into spying devices. The researchers chose to compromise Canon’s EOS-1D X DSLR camera and exploit each of the four ways it can communicate with a network. Not only have they been able to hijack the information sent from the camera, but have also managed to gain complete control of it.”
{ 1 trackback }