Archive for category security
[Guest post by Ryan Bailey]
Earlier this year roughly 50,000 stolen iTunes accounts were posted to a Chinese online auction site with prices ranging from 15 cents to $30 each. Many forms of attacks can be leveraged in acquiring passwords such as these through covert means, but almost none provide such a straightforward plan of attack like Phishing. Phishing, like many other forms of modern day email spam, is a form of social engineering aimed at acquiring sensitive information by attempting to fool users into freely surrendering passwords, credit card information or other potentially valuable information. Most current day attacks come in the form of an email seeking users to verify their account or billing details. These social engineering attempts often utilize pixel perfect facsimiles of websites or newsletters in order to gain a user’s trust. That’s where this phishing proof of concept gets its cue.
The first step of the attack comes in the form of utilizing a botnet to send out a fake news article using the default styles of a legitimate shared article. These emails often use minimal styling and shortened URLs making a fake shared story almost impossible to distinguish from a real one.
The user is then taken to a fake mobile version of the news article where the user is able to browse the page as they normally would. The only clue to the fake at this point is the URL in the address bar which can easily be spoofed with either a shortened URL or a misspelled domain name.
After a certain amount of time, an iOS alert pops up to inform the user that the iTunes Terms of Service has changed. Normally users are only prompted to accept changes after attempting a download from the iTunes store. But as anyone who has owned an iPhone will attest to, these changes often stand in the way of desired actions and often are accepted without a second thought. By delaying the bait until after the user has begun to read the article, it stands to reason the users will simply accept the thought of accepting the new Terms of Service without second thought.
The users, after having clicked through to accept the changes, are taken to a facsimile iTunes Store Terms of Service page where users are given bogus information about the update they are about to agree to. This view of removing the standard Safari title bar is easily accomplished through several frameworks designed to perfectly mimic the iOS user interface.
The user scroll to the bottom of the fake Terms of Service to the realistic “Accept” button where upon clicking pops up a copy of the iOS Username and Password Prompt. After entering their username and tapping the “OK” button, the user can be forwarded back to the article being none the wiser to their personal information now being in the hands of the highest bidder.
[HT Ryan Baily]
According to this research paper, its pretty easy.
Srdjan Capkun, an assistant professor of computer science in the system security group at ETH Zurich in Switzerland, who led the work, says he was inspired to investigate the security of keyless entry and start systems after buying a car that had one. Capkun and Aurélien Francillon and Boris Danev, both researchers in the same institution, examined 10 car models from the eight manufacturers. They were able to access all 10 and drive them away by intercepting and relaying signals from the cars to their wireless keys. While they could relay the signals from the key back to the car as well, usually they did not need to because the key transmits its signals up to around 100 meters. The attack works no matter what cryptography and protocols the key and car use to communicate with each other.
Normally, when a wireless key is within a few meters of the right car, it detects a low-powered signal that causes it to issue a command that opens the car enable the ignition. The researchers used a pair of antennas to transmit these signals from the car to the key when the key was farther away, tricking the car into opening without the ordinary authorization. One antenna needs to be very close to the car, and one needs to be within eight meters of the key.
The researchers came up with two versions of the attack. In one, they ran a cable from near the car to near the key and used it to transmit the signals. They conducted the other wirelessly. Francillon says that the materials for the wired attack cost about $50, and those for the wireless attack cost between $100 and $1,000, depending on the electronic components used.
The setup from Intelligence Squared:
On Christmas Day, 2009, twenty-three-year-old Umar Farouk Abdulmutallab attempted to blow up Northwest Airlines Flight 253 using explosives hidden in his underwear. A string of missed opportunities and errors by government security agencies culminated in what President Obama would declare a “systemic failure.” Is scanning everyone with expensive, high-tech equipment the best use of limited resources? Or should we use the information that we have—the knowledge that, while all Muslims are not terrorists, most terrorists are Muslim.
I think this debate should be re-framed: Should law enforcement use every tool at their disposal, which includes profiling, or should they refrain from using tools that may offend some people.
In the beginning the moderator concedes the main point, that the majority of recent (within the past decade) terrorist attacks have been committed or attempted by men who have a common tie to Islam. If this is true (a fact that was never disputed), then it makes the validity of including it as a metric a foregone conclusion.
In fact, the only objections given by the opposition were
- Judging people based on nationality is not sufficient to determine whether someone is likely to be a terrorist
- Not all terrorists are Muslims
- Not all Muslims are terrorists
- Its a violation of civil liberties to question a certain group more than others
To these, the responses were given
- Religion and race are not the only metrics used and the agents involved aren’t the only ones doing the analysis
- The majority of terrorists in the past decade (or more) have been Muslims
- The size of the overall population is irrelevant, what matters is the statistical likelihood that a terrorist will match the overall profile
- Civil liberties aren’t violated by mere suspicion. They aren’t even violated by extra law enforcement attention (interrogation, scans, etc.)
- It makes us less safe to waste law enforcement resources on “random” searches.
What this debate really highlights is how most people, even supposed “experts”, either don’t understand how statistical analysis works or deliberately choose to misconstrue the facts. It also highlights how our culture’s myopic drive towards political correctness makes us less secure as a result.