The second rule of the internet

2012-01-30

in Geek stuff, Internet matters, Rants, Security

Back in 2010, I described what I called the ‘first rule of the internet‘:

Against a sophisticated attacker, nothing connected to the internet is secure.

To this, I feel like I should add a second item:

Everything is internet now.

While there were once large numbers of electronic systems entirely disconnected from the internet, nowadays virtually everything is either connected to the internet constantly or occasionally connected to a device that is online. Your cell phone is probably always accessible to a sophisticated attacker using the internet, and the same is probably true for landlines using VoIP. Many of your computers are probably constantly connected to wireless networks (themselves targets for attack) and exposed to the wider internet through your broadband connection at all times.

Web integration with computers has reached the point that Google’s Chrome browser now treats ‘search’ and ‘GMail’ as apps within the Chrome environment.

The implication of combining the first and second rules is pretty plain. If you manage to attract the attention of a sophisticated attacker, they can probably get into the contents of your cell phone and your GMail account, as well as the hard drive of your PC and laptop, the ubiquitous webcams now built into computers, and so on. There is also a good chance they can take over your email, websites, Twitter accounts, and the like and use them for their own purposes.

Report a typo or inaccuracy

{ 29 comments… read them below or add one }

. January 31, 2012 at 7:17 am

Defending Your Cellphone Against Malware

“Kate Murphy writes that as cellphones have gotten smarter, they have become less like phones and more like computers, and that with more than a million phones worldwide already hacked, technology experts expect breached, infiltrated or otherwise compromised cellphones to be the scourge of 2012. Cellphones are often loaded with even more personal information than PCs, so an undefended or carelessly operated phone can result in a breathtaking invasion of individual privacy as well as the potential for data corruption and outright theft. But there are a few common sense ways to protect yourself: Avoid free, unofficial versions of popular apps that often have malware hidden in the code, avoid using Wi-Fi in a Starbucks or airport which leaves you open to hackers, and be wary of apps that want permission to make phone calls, connect to the Internet or reveal your identity and location.”

. January 31, 2012 at 7:18 am

Android Malware May Have Infected 5 Million Users

“A massive Android malware campaign may be responsible for duping as many as 5 million users into downloading the Android.Counterclan infection from the Google Android Market. The trojan collects the user’s personal information, modifies the home page, and displays unwanted advertisements. It is packaged in 13 different applications, some of which have been on the store for at least a month. Several of the malicious apps are still available on the Android Market as of 3 P.M. ET. Symantec has posted the full list of infected applications.”

. January 31, 2012 at 7:19 am

Stealing Smartphone Crypto Keys Using Radio Waves

“Encryption keys on smartphones can be stolen via a technique using radio waves, says one of the world’s foremost crypto experts, Paul Kocher, whose firm Cryptography Research will demonstrate the hacking stunt with several types of smartphones at the upcoming RSA Conference in San Francisco next month.”

. January 31, 2012 at 8:57 pm

Death knocks. Phone hacks.

Yeah, phone hacks. So what? Everybody had been at it a few years before. What was the difference, in the end, between that and eavesdropping? And everyone eavesdropped. If you had nothing to hide, you had nothing to worry about. But so many of the politicians did seem to have something to hide. There must be some sort of self-destructive impulse that went along with the lust for glory.

Anon February 5, 2012 at 6:08 pm

Your encryption doesn’t work because you cannot keep a key safe. You can’t memorize a key that is long enough to be secure and as soon as you write it down electronically an attacker can gain access to it.

. February 16, 2012 at 9:49 am

“Elsewhere, driven by the acceleration of computing power and connectivity and the simultaneous development of surveillance systems and tracking technologies, we are approaching a theoretical state of absolute information transparency, one in which ‘Orwellian’ scrutiny is no longer a strictly hierarchical, top-down activity, but to some extent a democratized one. As individuals steadily lose degrees of privacy, so to do corporations and states. Loss of traditional privacies may seem in the short term to be driven by issues of national security, but this may prove in time to be intrinsic to the nature of ubiquitous information.

Certain goals of the government’s Total (now Terrorist) Information Awareness initiative may eventually be realized simply by the evolution of the global information system – but not necessarily or exclusively for the benefit of the United States or any other government. This outcome may be an inevitable result of the migration to cyberspace of everything that we do with information.

Had Orwell known that computers were coming (out of Bletchley Park, oddly, a dilapidated English country house, home to the pioneering efforts of Alan Turing and other wartime code-breakers) he might have imagined a Ministry of Truth empowered by punch cards and vacuum tubes to better wring the last vestiges of freedom from the population of Oceania. But I doubt his story would have been very different. Would East Germany’s Stasi have been saved if its agents had been able to mouse away on PCs into the Nineties? The system would still have been crushed. It just wouldn’t have been under the weight of paper surveillance.”

Gibson, William. Distrust That Particular Flavor. p.168-9 (hardcover)

NotJustYourMachines February 16, 2012 at 10:19 am

Tons of your data held by other people is vulnerable over the Internet now:

* medical records held on web-connected computers in clinics and hospitals
* call history information held by your phone company
* purchase and rental records from businesses

And so on.

Even if you never go online, plenty of private information about you is vulnerable to access by capable attackers.

. March 4, 2012 at 7:48 pm

The fuss erupted in January after media reports drew attention to how many of the party’s leading lights are being spied on, sometimes with clandestine methods. A lengthy file on Gregor Gysi, head of the Left’s parliamentary group, is blacked out where the data was gathered by state agencies using “intelligence methods”.

. March 19, 2012 at 7:24 pm

“A hard-to-detect piece of malware that doesn’t create any files on the affected systems was dropped onto the computers of visitors to popular news sites in Russia in a drive-by download attack, according to Kaspersky Lab. ‘What’s interesting about this particular attack is the type of malware that was installed in cases of successful exploitation: one that only lives in the computer’s memory. … It’s ideal to stop the infection in its early stages, because once this type of “fileless” malware gets loaded into memory and attaches itself to a trusted process, it’s much harder to detect by antivirus programs.‘”

. March 19, 2012 at 7:39 pm
. March 25, 2013 at 10:55 pm

Wi-Fi Enabled Digital Cameras Easily Exploitable

“Users’ desire to share things online has influenced many markets, including the digital camera one. Newer cameras increasingly sport built-in Wi-Fi capabilities or allow users to add SD cards to achieve them in order to be able to upload and share photos and videos as soon as they take them. But, as proven by Daniel Mende and Pascal Turbing, security researchers with ERNW, these capabilities also have security flaws that can be easily exploited for turning these cameras into spying devices. The researchers chose to compromise Canon’s EOS-1D X DSLR camera and exploit each of the four ways it can communicate with a network. Not only have they been able to hijack the information sent from the camera, but have also managed to gain complete control of it.”

. November 16, 2013 at 11:46 pm

Ruiu said he arrived at the theory about badBIOS’s high-frequency networking capability after observing encrypted data packets being sent to and from an infected machine that had no obvious network connection with — but was in close proximity to — another badBIOS-infected computer. The packets were transmitted even when one of the machines had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine’s power cord to rule out the possibility it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped.

With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on.

“The airgapped machine is acting like it’s connected to the Internet,” he said. “Most of the problems we were having is we were slightly disabling bits of the components of the system. It would not let us disable some things. Things kept getting fixed automatically as soon as we tried to break them. It was weird.”

. January 14, 2014 at 11:32 pm

WASHINGTON — The National Security Agency has implanted software in nearly 100,000 computers around the world that allows the United States to conduct surveillance on those machines and can also create a digital highway for launching cyberattacks.

While most of the software is inserted by gaining access to computer networks, the N.S.A. has increasingly made use of a secret technology that enables it to enter and alter data in computers even if they are not connected to the Internet, according to N.S.A. documents, computer experts and American officials.

The technology, which the agency has used since at least 2008, relies on a covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards inserted surreptitiously into the computers. In some cases, they are sent to a briefcase-size relay station that intelligence agencies can set up miles away from the target.

The radio frequency technology has helped solve one of the biggest problems facing American intelligence agencies for years: getting into computers that adversaries, and some American partners, have tried to make impervious to spying or cyberattack. In most cases, the radio frequency hardware must be physically inserted by a spy, a manufacturer or an unwitting user.

. January 14, 2014 at 11:37 pm

One, called Cottonmouth I, looks like a normal USB plug but has a tiny transceiver buried in it. According to the catalog, it transmits information swept from the computer “through a covert channel” that allows “data infiltration and exfiltration.” Another variant of the technology involves tiny circuit boards that can be inserted in a laptop computer — either in the field or when they are shipped from manufacturers — so that the computer is broadcasting to the N.S.A. even while the computer’s user enjoys the false confidence that being walled off from the Internet constitutes real protection.

The relay station it communicates with, called Nightstand, fits in an oversize briefcase, and the system can attack a computer “from as far away as eight miles under ideal environmental conditions.” It can also insert packets of data in milliseconds, meaning that a false message or piece of programming can outrace a real one to a target computer. Similar stations create a link between the target computers and the N.S.A., even if the machines are isolated from the Internet.

Computers are not the only targets. Dropoutjeep attacks iPhones. Other hardware and software are designed to infect large network servers, including those made by the Chinese.

. July 15, 2014 at 11:38 am

LIFX is a smart light bulb that can be controlled with your smart phone via your home’s Wi-Fi network. Turns out that anyone within range can obtain the Wi-Fi password from the light bulb. It’s a problem with the communications protocol.

. November 2, 2014 at 5:00 pm

Breaching Air-Gap Security With Radio

Security researcher Mordechai Guri with the guidance of Prof. Yuval Elovici from the cyber security labs at Ben-Gurion University in Israel presented at MALCON 2014 a breakthrough method (“AirHopper”) for leaking data from an isolated computer to a mobile phone without the presence of a network. In highly secure facilities the assumption today is that data can not leak outside of an isolated internal network. It is called air-gap security. AirHopper demonstrates how the computer display can be used for sending data from the air-gapped computer to a near by smartphone. The published paper and a demonstration video are at the link.

. June 8, 2015 at 12:38 pm
. July 21, 2015 at 10:22 pm

Hackers can pwn a Jeep Cherokee from the brakes and steering to the AC and radio

A zero-day exploit for Jeep Cherokees allows hackers to control everything from the engine to the air-conditioning over the Internet, overriding the driver at the dashboard.

Charlie Miller and Chris Valasek demoed their exploit for Wired’s Andy Greenberg, putting him on the highway in a Jeep which they then seized control over, putting their faces on the in-dash screen. They were able to control the car’s electrics — windshield wipers, AC, radio, etc — as well as the acceleration and steering. Miller and Valasek will present their work at Black Hat in Vegas next month.

. July 27, 2015 at 11:58 am

Data leaks via electromagnetic emissions are not a new phenomenon. So-called TEMPEST attacks were discussed in an NSA article in 1972. And about 15 years ago, two researchers published papers demonstrating how EMR emissions from a desktop computer could be manipulated through specific commands and software installed on the machine.

The Israeli researchers built on this previous knowledge to develop malware they call GSMem, which exploits this condition by forcing the computer’s memory bus to act as an antenna and transmit data wirelessly to a phone over cellular frequencies. The malware has a tiny footprint and consumes just 4 kilobytes of memory when operating, making it difficult to detect. It also consists of just a series of simple CPU instructions that don’t need to interact with the API, which helps it to hide from security scanners designed to monitor for malicious API activity.

The attack works in combination with a root kit they devised, called the ReceiverHandler, that gets embedded in the baseband firmware of the mobile phone. The GSMem malware could be installed on the computer through physical access or through interdiction methods—that is, in the supply chain while it is enroute from the vendor to the buyer. The root kit could get installed through social engineering, a malicious app or through physical access to the targeted phone.

. July 27, 2015 at 11:59 am
. August 25, 2015 at 10:08 am
Milan March 2, 2016 at 6:48 pm

Think you’re safe because your computer includes no wireless networking gear (Wifi, BlueTooth, GSM, CDMA, etc)? Someone may be able to use software to turn the system bus into a radio.

. March 20, 2016 at 12:15 am

FBI issues car-hacking warning, tells drivers to keep their cars’ patch-levels current

More proof that all devices in the modern world are just computers in fancy cases: the FBI’s joint warning issued with the DoT and the National Highway Traffic and Safety Administration tells drivers that they’re at risk of local and remote hack-attacks against their cars, and tells them they have to keep their cars’ patch-levels current or they’ll be in serious danger.

They also warn that leaving your car where strangers can get at it is like leaving your smartphone unattended, and that physical access means the power to hack your car to your grave detriment.

. December 22, 2016 at 7:33 pm

On September 17th analysts at Flashpoint, a security company, announced that they had found a botnet composed of 1m devices, mostly digital video-recorders. And on October 1st the source code for “Mirai”, the botnet that attacked Mr Krebs’s computer, was released to an internet hackers’ forum by a pseudonymous individual. Mirai scans the internet for devices protected by factory-default usernames and passwords (which is often the case for machines that are part of the internet of things, since their owners rarely bother to change these defaults). It then recruits them into the network.

Ultimately, however, the answer to DDoS attacks like that perpetrated by Mirai is to build better security into both devices and the networks they are attached to. Edith Ramirez, chairwoman of America’s Federal Trade Commission, said as much in January 2015 when she delivered a polite but blistering speech about privacy and security practices at one of the electronic industry’s main trade meetings, the Consumer Electronics Show, in Las Vegas. Equally politely, deaf ears were turned. Andy Ellis, Akamai’s chief security officer, says network operators could introduce filters that would prevent common illegitimate traffic from reaching its destination, but the costs and complexities involved mean they do not want to—particularly if their competitors are not forced to bear similar costs.

. May 28, 2017 at 7:07 pm

Orome1 quotes Help Net Security: Even though many IoT devices for smart homes encrypt their traffic, a passive network observer — e.g. an ISP, or a neighborhood WiFi eavesdropper — can infer consumer behavior and sensitive details about users from IoT device-associated traffic rate metadata. A group of researchers from the Computer Science Department of Princeton University have proven this fact by setting up smart home laboratory with a passive network tap, and examining the traffic rates of four IoT smart home devices: a Sense sleep monitor, a Nest Cam Indoor security camera, a WeMo smart outlet, and an Amazon Echo smart speaker… “Once an adversary identifies packet streams for a particular device, one or more of the streams are likely to encode device state. Simply plotting send/receive rates of the streams revealed potentially private user interactions for each device we tested,” the researchers noted. [PDF] In addition, the article notes, “Separating recorded network traffic into packet streams and associating each stream with an IoT device is not that hard.”

. July 22, 2017 at 12:04 pm

Hackers compromised smart fish tank at casino

An unnamed North American casino was hacked through an on-site fish tank connected to the Internet, reports CNN.

“Someone used the fish tank to get into the network, and once they were in the fish tank, they scanned and found other vulnerabilities and moved laterally to other places in the network,” Justin Feir, director for cyber intelligence and analysis at Darktrace, told CNN Tech.

. September 25, 2017 at 12:09 am

Bluetooth Vulnerabilities

A bunch of Bluetooth vulnerabilities are being reported, some pretty nasty.

. November 22, 2017 at 5:04 pm

Connected sex-toy allows for code-injection attacks on a robot you wrap around your genitals

Anonymity and privacy researcher Sarah Jamie Lewis realized that a connected sex toy’s “email a blowjob” feature had significant security vulnerabilities and has produced an entertaining and delightful Twitter thread explaining how she was able to both fingerprint electronic blowjob description files and disrupt them with code-injection attacks.

The unnamed connected sex toy allowed one partner to design a blowjob by specifying actions the toy should take, with associated timings; then you could package up your lovingly crafted blowjob and email a link to it to your partner.

However, the links included base-64 encoded versions of the entire blowjob file, making it vulnerable to code-injection attacks. As Lewis notes, “I will leave you to ponder the consequences of having an XSS vulnerability on a page with no framebusting and preauthed connection to a robot wrapped around or inside someones genitals…”

. December 14, 2017 at 3:37 pm

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

{ 1 trackback }

Previous post:

Next post: