It pains me to criticize a browser that I typically praise and recommend, but I can’t play favorites when it comes to security. An article by Elliott Kember pointed out a glaring security controversy within Chrome that has the various tech ideology camps (hackers, security analysts, developers, power-users etc.) bickering over some of the most basic elements of data security. In a nutshell, Chrome (like all browsers) has the ability to save passwords for any website you visit, and when this feature is enabled (it is, by default) it will ask you politely if you’d like to save that password you just entered for this website. Here’s the controversy: if you go into Chrome’s advanced settings and view the list of passwords saved by the browser, you can actually click on each password and view it in clear text. Not the usual black bullets we’re used to seeing – you can actually read the password. Go ahead, see for yourself. I’ll wait.
I was literally gobsmacked when I found this out, as I have been using Chrome ever since it was released to the public. “They obviously haven’t thought this out!” I said to myself, but it seems that the head of Chrome’s security development thinks otherwise (warning: geeks arguing on the internet – the knives are out!); the basis of his argument is that if someone other than you is physically sitting at your computer and can manipulate the mouse and keyboard to the point where they can get to this screen, then any security precautions Chrome could put in place are essentially null. This is actually a position I share regularly with my clients: if someone has physical control of your device, most security measures like passwords will do much less to protect you than you think. HOWEVER…
What this means for you:
Yes, if someone unsavory has possession of your hardware and are appropriately trained/equipped, even a strong password isn’t going to keep them at bay for long. But what about the time your roomate or co-worker asks to borrow your laptop real quick to do [random, innocuous websurfing task]. Sure, no problem, you close out of whatever sensitive websites you might have open and push it over to him. Let’s say this person’s intentions aren’t completely honorable, but he also knows he doesn’t have much time to go browsing around randomly through your bookmarks or history to see if any website sessions are still valid (ie. you’ve recently entered a password, and a cookie provides convenient re-opening of a website). But he does know that Chrome has this particular flaw, and he quickly glances through the saved password list, memorizing a couple critical ones to use for later wreaking of havoc.
Scared now? It’s not clear whether Chrome will ever fix this “issue” when they don’t recognize it as such. I rarely let anyone else use my laptop or desktop, but I’m still erasing all my saved passwords and disabling this feature. As convenient as it may seem, at minimum you should NEVER save passwords for any sensitive accounts like online banking, email, etc, and if you can stand the inconvenience, don’t let your browser save passwords at all, in any browser on any platform.
You’ve seen it in movies and television probably dozens of times: video surveillance systems being hacked into by both heroes and villains and being fooled into showing looped footage allowing said hero/villain to proceed undetected. This time around, life is imitating art as a security researcher demonstrated at the Black Hat security conference held this past weekend. In his presentation, dubbed “Exploiting Surveillance Cameras Like a Hollywood Hacker”, former NSA worker Craig Heffner demonstrated how he was able to research and exploit readily available internet-enabled video cameras commonly used for security surveillance in homes and businesses around the world. Given the well-honed skeptical nature of Black Hat attendees, Mr. Heffner provided a live demonstration wherein he focused a compromised camera on a bottle placed on stage. While the audience watched via the security console, Heffner hacked the camera to display a spoofed image of the bottle (the “Hollywood” part), and then proceeded to “steal” the bottle while the security camera continued to display an unmolested bottle.
What this means for you:
Unfortunately, Heffner was able to exploit cameras from many manufacturers primarily because the device firmwares contained hard-wired passwords and other backdoor mechanisms. Thanks to the internet, Heffner was able to download copies of many camera firmwares and research the vulnerabilities without even owning the actual device. Heffner contends that he has yet to come across a model of internet security camera that he cannot hack, primarily because the manufacturers have been careless in removing the backdoors and weakness, and that the basic operating system varied in only minor ways from model to model. If you are actively using any of the cameras listed in Heffner’s presentation, you may want to consider disconnecting them from the network (which essentially defeats the “Internet-enabled” part), or disabling them completely until the manufacturers patch the obvious security weaknesses.
Image courtesy of Renjith Krishnan / FreeDigitalPhotos.net
Unlike the hype build-up surrounding Glass which seemed to go on for months, Google stole a march on the media and surprised the world last week with a $35 device called Chromecast which is poised to rock the world of Television. This little gadget is designed to work with any HDMI-capable television or monitor and will stream specific provider content straight to your entertainment center big screen.
Which content providers? How about streaming heavy Netflix and, of course, all of Google’s content offerings, such as YouTube and Google Play music and video. Despite the “limited” content partners named at launch, Chromecast sold out online within hours of the announcement, and retail establishments like BestBuy were cleared out shortly thereafter. As expected, other content providers are jumping into what has the makings of a bona fide internet gold-rush, with both Vimeo and Netflix competitor RedBox announcing apps for the device. Hackers have also uncovered what appears to be hooks for HBO’s Go service, the arrival of which would truly cement Chromecast’s position in the entertainment ecosphere.
What this means for you:
If you are one of the hundreds of thousands of families that has an HDMI TV in your living room and wished there was a way you could watch Netflix streaming videos on it, this is your device. Netflix-capable devices have existed for years: all current gaming consoles (Wii, Playstation 3, Xbox 360) and other set-top devices like Apple TV, Google TV, Roku and Boxee, have this capability, but prices start at $100 and head North quickly.
The savvy among you know that you can easily hook a computer, laptop or tablet up to any modern television, either through a set of cables, or in Apple’s case, a not insignificant investment in Apple hardware. With the exception of the Apple solution, these solutions are encumbered by wires that essentially tether that device to your entertainment center more or less permanently, and Apple’s solution locks you into their tightly-controlled iTunes environment and a handful of Apple-approved apps.
Now, for the cost of an mid-quality HDMI cable, you can stream that same content (and who knows what else will arrive soon?) to any HDMI TV. Want to enjoy Game of Thrones at a friend’s house, but they don’t have HBO? Assuming the HBO Go app becomes a reality, you’ll be able to put the Chromecast device in your pocket, head over to your friend’s house and plug it in to their TV. Log into your HBO Go account from one of their computers or connect your smartphone to their WiFi, and you are good to go.
Portable flash drives, also known as “thumb” drives, are about as common as their physiological namesake. They are readily available, useful for a variety of tasks, and now so cheap as render them nearly disposable. Partly because of their ubiquity and seemingly innocuous profile, they make extremely effective malware vectors and continue to be the bane of information security professionals everywhere:
- As part of a security test conducted by the Department of Homeland Security, USB drives were left in the parking lots of other government agencies and private contractors. After being spotted and picked up by employees, almost two-thirds of the orphaned drives were plugged into networked computers, even though the users had no clue as to the thumb drive’s origins, and if the thumb drive had a faux government logo on them, nearly 90% were accessed via networked computers.
- A survey of 300 IT professionals conducted at the 2013 RSA Security Conference found that almost 80% of respondents have plugged in thumb drives with questionable or unknown origins, despite probably knowing full well the dangers such an action could present.
- Infamous NSA whistleblower Edward Snowden purportedly copied digital documents supporting his claims onto a thumb drive that he smuggled without much effort into and out of the National Security Agency.
What this means for you:
Because of their size and capability, thumb drives are not something that will be controlled through simple policy and half-hearted enforcement. Companies with tightly managed technology environments can enforce a ban on non-authorized USB devices through centrally controlled software policies, and some have gone so far as to glue shut open USB ports in an attempt to close this security gap. For smaller companies with less dire security requirements, this may not be a reasonable solution. Instead, you should continue to make sure that you have working anti-malware in place and set to scan any storage device inserted into your computer. On top of this, if you regularly use thumb drives to transport business data, those drives should be encrypted with a strong password to prevent security breaches due to loss or theft, and obviously, they should be backed up regularly for the same reason. And for goodness sakes, don’t pick up some random thumb drive lying on the ground and plug it into your computer. You really don’t know where that thing has been!
Image courtesy of bplanet / FreeDigitalPhotos.net
One of the claims by loyal Apple fans is that the Apple desktop operating system is more secure than Microsoft Windows because they are affected by markedly less malware. This has more to do with the fact that virus-writers would rather spend their time creating malware for an OS that is much more widely installed and has many well-known security weaknesses and bugs to exploit, and less to do with any inherent security strengths in OS X.
Which ever side of the fence you fall on, Mac users have recently been falling prey to a new form of ransomware that is delivered via Apple’s Safari web browser. Affected users are displayed the usual threatening messages that purportedly come straight from the FBI, demonstrating “proof” that your Apple computer has been engaged in illegal activity. Users are given the opportunity to pay a “fine” which will supposedly allow them to regain control over their machine and remove the warning messages blocking their screen.
What this means for you:
If you are a Windows user, you’ve probably already seen this form of malware in action. The Apple variant is slightly less annoying than its Windows counterpart, relying heavily on “iFrames” to pop-up the warnings. Savvy Safari users can close these windows to escape the ransomware’s clutches temporarily (something that’s not possible on the Windows side), but should still reset their browser settings (FBI provides instructions here) to clear out any rogue alterations made, and then run a full anti-malware sweep to ensure they didn’t pick up anything else alongside of the ransomware scam.
As always, you should never heed instructions to pay a “fine” levied by some governmental institution via online method. Law enforcement agencies do not operate in that fashion. Regardless of the brouhaha ongoing with the NSA and the Prism surveillance, no government entity is going to handle illegal activity via automated fines, and especially not through dodgy online payment websites. Use your common sense. If you encounter this form of malware and are unable to fix it yourself, shut down your workstation and pick up the phone to call a professional.
A german security researcher has revealed that as many as 750 million cellphones may be vulnerable to to hacking via their SIM card if it’s encrypted with DES (Data Encryption Standard) originally coded in the 1970s. Through studies on approximately 1000 sim chips and phones, Karsten Nohl of Security Research Labs demonstrated the ability to fool the older SIM chips into thinking he was authorized to access confidential data on the phone, including SMS texts, call logs as well as pay for fraudulent services via the phone. In theory, this level of access could grant an attacker the ability to compromise and steal the phone owner’s identity on top of gaining access to online bank accounts and other high-risk areas.
What this means for you:
Mr. Nohl has not revealed to the public the details of which SIM cards may suffer from this weakness and has instead been working closely with SIM card manufacturers to assist them with identifying and hopefully remediating the weakness where they can. His estimates are that as many as 3 billion cell phones use the older-generation SIM cards, but only some of those are prone to the security bug he has exploited in the above research. According to SIM manufacturers, they stopped using the older DES method back in 2008, so it’s likely that if your phone is less than 3-years old, you are probably safe from this particular exploit. If you have a phone that is older than 3-years, you should consider replacing it with a newer phone, or at minimum, see about getting a new SIM card from your carrier if you want to continue using your cellphone.
Lest you think Facebook is the only security punching bag getting a beating lately, two significant flaws in the Android application platform have been revealed by overseas security teams. Without going into the gory details, each team has found a different way to create a trojanized APK (the file format in which Android apps are delivered) that is indistinguishable from the original. This would allow an app to appear and function normally, but also execute functions like transmitting your passwords, texts, emails on the sly. Google has already put together a fix and distributed a patch to OEM manufacturers, and supposedly they are able to detect this sort of exploit on the Google Play Store.
You need to worry if you “sideload” apps on your Android phone, which is to say you get apps from sources other than Google Play. Keep in mind, even Amazon’s App store counts as a sideloading source, and as of the moment, they aren’t scanning for this vulnerability.
What this means for you:
Even though Google has issued a fix for this particular vulnerability, they can’t force the update upon the millions of Android phones out there affected by this weakness, as that task lies with the phone manufacturers and the carriers. With the exception of avid power-users, most Android users are unaware that their Android OS may be months or years out of date, primarily because cellular carriers insist on selling phones that use a modified version of the OS that does not automatically get updated when Google updates the core version of Android. On top of this, the carriers are notoriously slow in issuing updates. If you are wondering what folks are talking about when they are discussing “Gingerbread”, “Honeycomb”, “Ice Cream Sandwich” and “Jelly Bean”, they are referring to the various versions of Android OS, where Jelly Bean is the latest. Supposedly this exploit exists as far back as “Donut” (ver 1.6).
Even worse, certain older models of Android phones may never get updated, as the carrier has essentially abandoned firmware updates for phones that are “retired” from active support. Users of these phones have essentially two options: root, unlock and update the phone with a custom version of the Android OS developed by the open source community, or buy a new phone. The former option is definitely not for technically-disinclined. Given the gravity of the vulnerability, the carriers may issue patches for the majority of its phones, but I wouldn’t hold your breath.
Until you are able to verify your Android smartphone is running a version of the OS that fixes this vulnerability, don’t sideload applications. If you want to be extra safe, avoid using smartphone apps that transmit sensitive information like banking passwords, pins and other sensitive personal information. As I’ve reiterated before, exercise caution before convenience, especially when it comes to protecting yourself.
Depending on where you live or work, you’ve probably experienced problems with cellphone coverage for one or more carriers, usually due to your geographical (lack of) proximity to a cell tower, or courtesy of construction materials like concrete, lead and steel in between you and your signal. Thanks to the advent of widely available broadband, cellular providers have been able to build small devices called femtocells that can be connected to your internet connection and will significantly improve cellular signal for a specific carrier in a limited range.
While seen as a godsend for the cell-strength deficient, we also now have to regard them as a security risk, thanks to research performed by analysts at iSEC Partners who have allegedly hacked a Verizon network extender to allow them to eavesdrop on any phone call, text message or other information transmitted from the phone through the compromised femtocell. The researchers plan to publicize their findings at the upcoming Black Hat Conference in August, but have declined to share details for obvious security reasons.
What this means for you:
Unfortunately, you can’t tell your cellphone what radio signal source to use. It’s designed to look for the strongest signal and use it. The iSEC researchers claim it would be trivial to build a portable and unobtrusive hacked network extender and place it in a strategic location to capture confidential calls. If you are in the business of confidential information, you probably already know not to take sensitive calls where ever you might be overheard, and if you are a well-informed adult, you probably already know that the NSA could eavesdrop on your conversation regardless of what cell tower was handling your call. But now we are talking about a commercially available device that is cheap, portable, and apparently, hackable. As before, consider carefully the medium you choose for the delivery of your sensitive information, and when in doubt, err on the side of caution rather than convenience.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
I often encourage my clients to be paranoid about security, but never to the point of throwing the baby out with the bathwater, which is exactly what the Economic Development Agency did two years ago when responding to a report that some of its computers were infected with malware. Due to a mixture of clerical error, poor communication and straight-up inexperience (in a government agency? Imagine that!), the top brass at the EDA received a report that stated over a hundred devices on its network were infected. Believing the technology to be unrecoverable, they proceeded to physically destroy all of it, including mice, keyboards, monitors, printers and other devices that couldn’t be infected with malware, rather than risk the spread of infection, to the tune of nearly $3 million.
What this means for you:
If you’ve ever had a really bad malware infection, you sometimes might hear the technician say, “It’s probably best if we nuke this thing from orbit,” referring to a favorite scene from the movie Aliens. Obviously, your computer is going to be just fine, as he’s actually just talking about wiping out the contents of your hard drive and starting with a fresh install of your operating system. Unless he’s a contractor who lists the EDA as a former client, in which case you might want to show him the door and call someone else.
In all seriousness, a situation like this can easily happen if your organization’s leadership has an incomplete understanding of technology and security. In the above case, a little knowledge and a pinch of common sense could have saved the EDA a lot of money and embarrassment. Continue to be paranoid about security, but only “nuke from orbit” when your company is completely overrun by man-eating aliens. A malware infection, or even a serious security breach, can be handled without slaughtering all those helpless keyboards and mice.
Back in January of this year, I wrote about Facebook’s impending Graph Search feature (“Facebook Graph Search Cutting Bait for Phishers“) which was set to greatly improve its existing feeble search engine as well as outrage privacy watchdogs. Based upon the feedback the developers received from the small test group to which it was originally released, Facebook went back to the drawing board, and have now decided that Graph Search is ready for its debut.
Unlike the search engine we all know and use, Facebook’s new search engine will rely heavily on the various layers of data that it has accumulated on it’s millions of users, allowing you to perform searches that list “friends who like trucks and football” or “single women in Los Angeles who like Ethiopian food”. Obviously, the results are heavily dependent upon how much information everyone shares about themselves on Facebook, but Facebook is confident that the results will be eye opening.
What this means for you:
If you haven’t heard me mention it before, there’s no better time than the present to log into your Facebook account and check your privacy settings, even if you don’t use it often, or you haven’t updated your profile since you created the account oh so many years ago. If you haven’t logged into Facebook in the past year, they have made a lot of changes to settings and security that will probably bewilder the savviest of users. I linked a guide written by the EFF on Facebook’s privacy settings here: “Tighten Up Your Facebook Security”, and Facebook is also taking a more proactive approach by warning you when you log in that Graph Search is coming and provides you a link to your privacy settings.










