The second rule of the internet

Back in 2010, I described what I called the ‘first rule of the internet‘:

Against a sophisticated attacker, nothing connected to the internet is secure.

To this, I feel like I should add a second item:

Everything is internet now.

While there were once large numbers of electronic systems entirely disconnected from the internet, nowadays virtually everything is either connected to the internet constantly or occasionally connected to a device that is online. Your cell phone is probably always accessible to a sophisticated attacker using the internet, and the same is probably true for landlines using VoIP. Many of your computers are probably constantly connected to wireless networks (themselves targets for attack) and exposed to the wider internet through your broadband connection at all times.

Web integration with computers has reached the point that Google’s Chrome browser now treats ‘search’ and ‘GMail’ as apps within the Chrome environment.

The implication of combining the first and second rules is pretty plain. If you manage to attract the attention of a sophisticated attacker, they can probably get into the contents of your cell phone and your GMail account, as well as the hard drive of your PC and laptop, the ubiquitous webcams now built into computers, and so on. There is also a good chance they can take over your email, websites, Twitter accounts, and the like and use them for their own purposes.

Author: Milan

In the spring of 2005, I graduated from the University of British Columbia with a degree in International Relations and a general focus in the area of environmental politics. In the fall of 2005, I began reading for an M.Phil in IR at Wadham College, Oxford. Outside school, I am very interested in photography, writing, and the outdoors. I am writing this blog to keep in touch with friends and family around the world, provide a more personal view of graduate student life in Oxford, and pass on some lessons I've learned here.

38 thoughts on “The second rule of the internet”

  1. Defending Your Cellphone Against Malware

    “Kate Murphy writes that as cellphones have gotten smarter, they have become less like phones and more like computers, and that with more than a million phones worldwide already hacked, technology experts expect breached, infiltrated or otherwise compromised cellphones to be the scourge of 2012. Cellphones are often loaded with even more personal information than PCs, so an undefended or carelessly operated phone can result in a breathtaking invasion of individual privacy as well as the potential for data corruption and outright theft. But there are a few common sense ways to protect yourself: Avoid free, unofficial versions of popular apps that often have malware hidden in the code, avoid using Wi-Fi in a Starbucks or airport which leaves you open to hackers, and be wary of apps that want permission to make phone calls, connect to the Internet or reveal your identity and location.”

  2. Android Malware May Have Infected 5 Million Users

    “A massive Android malware campaign may be responsible for duping as many as 5 million users into downloading the Android.Counterclan infection from the Google Android Market. The trojan collects the user’s personal information, modifies the home page, and displays unwanted advertisements. It is packaged in 13 different applications, some of which have been on the store for at least a month. Several of the malicious apps are still available on the Android Market as of 3 P.M. ET. Symantec has posted the full list of infected applications.”

  3. Stealing Smartphone Crypto Keys Using Radio Waves

    “Encryption keys on smartphones can be stolen via a technique using radio waves, says one of the world’s foremost crypto experts, Paul Kocher, whose firm Cryptography Research will demonstrate the hacking stunt with several types of smartphones at the upcoming RSA Conference in San Francisco next month.”

  4. Your encryption doesn’t work because you cannot keep a key safe. You can’t memorize a key that is long enough to be secure and as soon as you write it down electronically an attacker can gain access to it.

  5. “Elsewhere, driven by the acceleration of computing power and connectivity and the simultaneous development of surveillance systems and tracking technologies, we are approaching a theoretical state of absolute information transparency, one in which ‘Orwellian’ scrutiny is no longer a strictly hierarchical, top-down activity, but to some extent a democratized one. As individuals steadily lose degrees of privacy, so to do corporations and states. Loss of traditional privacies may seem in the short term to be driven by issues of national security, but this may prove in time to be intrinsic to the nature of ubiquitous information.

    Certain goals of the government’s Total (now Terrorist) Information Awareness initiative may eventually be realized simply by the evolution of the global information system – but not necessarily or exclusively for the benefit of the United States or any other government. This outcome may be an inevitable result of the migration to cyberspace of everything that we do with information.

    Had Orwell known that computers were coming (out of Bletchley Park, oddly, a dilapidated English country house, home to the pioneering efforts of Alan Turing and other wartime code-breakers) he might have imagined a Ministry of Truth empowered by punch cards and vacuum tubes to better wring the last vestiges of freedom from the population of Oceania. But I doubt his story would have been very different. Would East Germany’s Stasi have been saved if its agents had been able to mouse away on PCs into the Nineties? The system would still have been crushed. It just wouldn’t have been under the weight of paper surveillance.”

    Gibson, William. Distrust That Particular Flavor. p.168-9 (hardcover)

  6. Tons of your data held by other people is vulnerable over the Internet now:

    * medical records held on web-connected computers in clinics and hospitals
    * call history information held by your phone company
    * purchase and rental records from businesses

    And so on.

    Even if you never go online, plenty of private information about you is vulnerable to access by capable attackers.

  7. “A hard-to-detect piece of malware that doesn’t create any files on the affected systems was dropped onto the computers of visitors to popular news sites in Russia in a drive-by download attack, according to Kaspersky Lab. ‘What’s interesting about this particular attack is the type of malware that was installed in cases of successful exploitation: one that only lives in the computer’s memory. … It’s ideal to stop the infection in its early stages, because once this type of “fileless” malware gets loaded into memory and attaches itself to a trusted process, it’s much harder to detect by antivirus programs.‘”

  8. Wi-Fi Enabled Digital Cameras Easily Exploitable

    “Users’ desire to share things online has influenced many markets, including the digital camera one. Newer cameras increasingly sport built-in Wi-Fi capabilities or allow users to add SD cards to achieve them in order to be able to upload and share photos and videos as soon as they take them. But, as proven by Daniel Mende and Pascal Turbing, security researchers with ERNW, these capabilities also have security flaws that can be easily exploited for turning these cameras into spying devices. The researchers chose to compromise Canon’s EOS-1D X DSLR camera and exploit each of the four ways it can communicate with a network. Not only have they been able to hijack the information sent from the camera, but have also managed to gain complete control of it.”

  9. Ruiu said he arrived at the theory about badBIOS’s high-frequency networking capability after observing encrypted data packets being sent to and from an infected machine that had no obvious network connection with — but was in close proximity to — another badBIOS-infected computer. The packets were transmitted even when one of the machines had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine’s power cord to rule out the possibility it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped.

    With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on.

    “The airgapped machine is acting like it’s connected to the Internet,” he said. “Most of the problems we were having is we were slightly disabling bits of the components of the system. It would not let us disable some things. Things kept getting fixed automatically as soon as we tried to break them. It was weird.”

  10. WASHINGTON — The National Security Agency has implanted software in nearly 100,000 computers around the world that allows the United States to conduct surveillance on those machines and can also create a digital highway for launching cyberattacks.

    While most of the software is inserted by gaining access to computer networks, the N.S.A. has increasingly made use of a secret technology that enables it to enter and alter data in computers even if they are not connected to the Internet, according to N.S.A. documents, computer experts and American officials.

    The technology, which the agency has used since at least 2008, relies on a covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards inserted surreptitiously into the computers. In some cases, they are sent to a briefcase-size relay station that intelligence agencies can set up miles away from the target.

    The radio frequency technology has helped solve one of the biggest problems facing American intelligence agencies for years: getting into computers that adversaries, and some American partners, have tried to make impervious to spying or cyberattack. In most cases, the radio frequency hardware must be physically inserted by a spy, a manufacturer or an unwitting user.

  11. One, called Cottonmouth I, looks like a normal USB plug but has a tiny transceiver buried in it. According to the catalog, it transmits information swept from the computer “through a covert channel” that allows “data infiltration and exfiltration.” Another variant of the technology involves tiny circuit boards that can be inserted in a laptop computer — either in the field or when they are shipped from manufacturers — so that the computer is broadcasting to the N.S.A. even while the computer’s user enjoys the false confidence that being walled off from the Internet constitutes real protection.

    The relay station it communicates with, called Nightstand, fits in an oversize briefcase, and the system can attack a computer “from as far away as eight miles under ideal environmental conditions.” It can also insert packets of data in milliseconds, meaning that a false message or piece of programming can outrace a real one to a target computer. Similar stations create a link between the target computers and the N.S.A., even if the machines are isolated from the Internet.

    Computers are not the only targets. Dropoutjeep attacks iPhones. Other hardware and software are designed to infect large network servers, including those made by the Chinese.

  12. Breaching Air-Gap Security With Radio

    Security researcher Mordechai Guri with the guidance of Prof. Yuval Elovici from the cyber security labs at Ben-Gurion University in Israel presented at MALCON 2014 a breakthrough method (“AirHopper”) for leaking data from an isolated computer to a mobile phone without the presence of a network. In highly secure facilities the assumption today is that data can not leak outside of an isolated internal network. It is called air-gap security. AirHopper demonstrates how the computer display can be used for sending data from the air-gapped computer to a near by smartphone. The published paper and a demonstration video are at the link.

  13. Hackers can pwn a Jeep Cherokee from the brakes and steering to the AC and radio

    A zero-day exploit for Jeep Cherokees allows hackers to control everything from the engine to the air-conditioning over the Internet, overriding the driver at the dashboard.

    Charlie Miller and Chris Valasek demoed their exploit for Wired’s Andy Greenberg, putting him on the highway in a Jeep which they then seized control over, putting their faces on the in-dash screen. They were able to control the car’s electrics — windshield wipers, AC, radio, etc — as well as the acceleration and steering. Miller and Valasek will present their work at Black Hat in Vegas next month.

  14. Data leaks via electromagnetic emissions are not a new phenomenon. So-called TEMPEST attacks were discussed in an NSA article in 1972. And about 15 years ago, two researchers published papers demonstrating how EMR emissions from a desktop computer could be manipulated through specific commands and software installed on the machine.

    The Israeli researchers built on this previous knowledge to develop malware they call GSMem, which exploits this condition by forcing the computer’s memory bus to act as an antenna and transmit data wirelessly to a phone over cellular frequencies. The malware has a tiny footprint and consumes just 4 kilobytes of memory when operating, making it difficult to detect. It also consists of just a series of simple CPU instructions that don’t need to interact with the API, which helps it to hide from security scanners designed to monitor for malicious API activity.

    The attack works in combination with a root kit they devised, called the ReceiverHandler, that gets embedded in the baseband firmware of the mobile phone. The GSMem malware could be installed on the computer through physical access or through interdiction methods—that is, in the supply chain while it is enroute from the vendor to the buyer. The root kit could get installed through social engineering, a malicious app or through physical access to the targeted phone.

  15. FBI issues car-hacking warning, tells drivers to keep their cars’ patch-levels current

    More proof that all devices in the modern world are just computers in fancy cases: the FBI’s joint warning issued with the DoT and the National Highway Traffic and Safety Administration tells drivers that they’re at risk of local and remote hack-attacks against their cars, and tells them they have to keep their cars’ patch-levels current or they’ll be in serious danger.

    They also warn that leaving your car where strangers can get at it is like leaving your smartphone unattended, and that physical access means the power to hack your car to your grave detriment.

  16. On September 17th analysts at Flashpoint, a security company, announced that they had found a botnet composed of 1m devices, mostly digital video-recorders. And on October 1st the source code for “Mirai”, the botnet that attacked Mr Krebs’s computer, was released to an internet hackers’ forum by a pseudonymous individual. Mirai scans the internet for devices protected by factory-default usernames and passwords (which is often the case for machines that are part of the internet of things, since their owners rarely bother to change these defaults). It then recruits them into the network.

    Ultimately, however, the answer to DDoS attacks like that perpetrated by Mirai is to build better security into both devices and the networks they are attached to. Edith Ramirez, chairwoman of America’s Federal Trade Commission, said as much in January 2015 when she delivered a polite but blistering speech about privacy and security practices at one of the electronic industry’s main trade meetings, the Consumer Electronics Show, in Las Vegas. Equally politely, deaf ears were turned. Andy Ellis, Akamai’s chief security officer, says network operators could introduce filters that would prevent common illegitimate traffic from reaching its destination, but the costs and complexities involved mean they do not want to—particularly if their competitors are not forced to bear similar costs.

  17. Orome1 quotes Help Net Security: Even though many IoT devices for smart homes encrypt their traffic, a passive network observer — e.g. an ISP, or a neighborhood WiFi eavesdropper — can infer consumer behavior and sensitive details about users from IoT device-associated traffic rate metadata. A group of researchers from the Computer Science Department of Princeton University have proven this fact by setting up smart home laboratory with a passive network tap, and examining the traffic rates of four IoT smart home devices: a Sense sleep monitor, a Nest Cam Indoor security camera, a WeMo smart outlet, and an Amazon Echo smart speaker… “Once an adversary identifies packet streams for a particular device, one or more of the streams are likely to encode device state. Simply plotting send/receive rates of the streams revealed potentially private user interactions for each device we tested,” the researchers noted. [PDF] In addition, the article notes, “Separating recorded network traffic into packet streams and associating each stream with an IoT device is not that hard.”

  18. Hackers compromised smart fish tank at casino

    An unnamed North American casino was hacked through an on-site fish tank connected to the Internet, reports CNN.

    “Someone used the fish tank to get into the network, and once they were in the fish tank, they scanned and found other vulnerabilities and moved laterally to other places in the network,” Justin Feir, director for cyber intelligence and analysis at Darktrace, told CNN Tech.

  19. Connected sex-toy allows for code-injection attacks on a robot you wrap around your genitals

    Anonymity and privacy researcher Sarah Jamie Lewis realized that a connected sex toy’s “email a blowjob” feature had significant security vulnerabilities and has produced an entertaining and delightful Twitter thread explaining how she was able to both fingerprint electronic blowjob description files and disrupt them with code-injection attacks.

    The unnamed connected sex toy allowed one partner to design a blowjob by specifying actions the toy should take, with associated timings; then you could package up your lovingly crafted blowjob and email a link to it to your partner.

    However, the links included base-64 encoded versions of the entire blowjob file, making it vulnerable to code-injection attacks. As Lewis notes, “I will leave you to ponder the consequences of having an XSS vulnerability on a page with no framebusting and preauthed connection to a robot wrapped around or inside someones genitals…”

  20. Your smart TV is trivial to hack and leaks your personal information like crazy unless you disable all its useful features

    The re-evaluation of smart TVs revealed that while these devices worked beautifully, they failed miserably: they can be remote-controlled by malicious parties and they harvest and transmit mountains of data about you and your viewing habits back to their manufacturers, who arrogate to themselves the right to do pretty much anything they want with that data, all on the basis of obscure permissions granted deep in the unreadable pastebomb of terms and conditions that you have to click through to use your device.

    Worse: the manufacturers can’t even succeed at failing. When notified of the issues with their devices, Roku shrugged its shoulders and insisted that there was no problem. And it turns out that if you dig deep into the preferences screen for your TV and turn off all the data-harvesting, the TVs also disable all the useful features that distinguish them from dumb TVs, features that could function perfectly well without all the surveillant activities.

    You could just buy an old-fashioned “dumb” TV, without built-in streaming capabilities, but these are becoming harder to find. Of the nearly 200 midsized and large sets in Consumer Reports’ ratings, only 16 aren’t smart TVs. And those are 2017 models—in 2018 we expect to see even fewer internet-free televisions.

  21. It looks like a Lightning cable, it works like a Lightning cable, and I can use it to connect my keyboard to my Mac. But it is actually a malicious cable that can record everything I type, including passwords, and wirelessly send that data to a hacker who could be more than a mile away. This is the new version of a series of penetration testing tools made by the security researcher known as MG. MG previously demoed an earlier version of the cables for Motherboard at the DEF CON hacking conference in 2019. Shortly after that, MG said he had successfully moved the cables into mass production, and cybersecurity vendor Hak5 started selling the cables. But the more recent cables come in new physical variations, including Lightning to USB-C, and include more capabilities for hackers to play with.

    “There were people who said that Type C cables were safe from this type of implant because there isn’t enough space. So, clearly, I had to prove that wrong. :),” MG told Motherboard in an online chat. The OMG Cables, as they’re called, work by creating a Wi-Fi hotspot itself that a hacker can connect to from their own device.

  22. The difficulty of reliably turning software-based devices completely off is no longer merely a hypothetical issue. Some vendors have even recognized it as a marketable feature. For example, certain Apple iPhones will continue to transmit “Find My Device” tracking beacons even after they’ve ostensibly been powered off. Misbehaving or malicious software could enable similar behavior even on devices that don’t “officially” support it, creating the potential for malware that turns your phone into a permanently on surreptitious tracking device, no matter whether you think you’ve turned it off. Compounding these risks are the non-removable batteries used in many of the latest smartphones.

  23. Apple’s AirTags are being used in an increasing number of targeted car thefts in Canada, according to local police.

    Outlined in a news release from York Regional Police, investigators have identified a new method being used by thieves to track down and steal high-end vehicles that takes advantage of the AirTag’s location tracking capabilities. While the method of stealing the cars is largely conventional, the purpose of the AirTag is to track a high-end car back to a victim’s residence where it can be stolen from the driveway.

Leave a Reply

Your email address will not be published. Required fields are marked *