The Pitch
The first step of the attack comes in the form of utilizing a botnet to send out a fake news article using the default styles of a legitimate shared article. These emails often use minimal styling and shortened URLs making a fake shared story almost impossible to distinguish from a real one.

The Hook
The user is then taken to a fake mobile version of the news article where the user is able to browse the page as they normally would. The only clue to the fake at this point is the URL in the address bar which can easily be spoofed with either a shortened URL or a misspelled domain name.

The Bait
After a certain amount of time, an iOS alert pops up to inform the user that the iTunes Terms of Service has changed. Normally users are only prompted to accept changes after attempting a download from the iTunes store. But as anyone who has owned an iPhone will attest to, these changes often stand in the way of desired actions and often are accepted without a second thought. By delaying the bait until after the user has begun to read the article, it stands to reason the users will simply accept the thought of accepting the new Terms of Service without second thought.

The Switch
The users, after having clicked through to accept the changes, are taken to a facsimile iTunes Store Terms of Service page where users are given bogus information about the update they are about to agree to. This view of removing the standard Safari title bar is easily accomplished through several frameworks designed to perfectly mimic the iOS user interface.

The Payoff

The user scroll to the bottom of the fake Terms of Service to the realistic “Accept” button where upon clicking pops up a copy of the iOS Username and Password Prompt.  After entering their username and tapping the “OK” button, the user can be forwarded back to the article being none the wiser to their personal information now being in the hands of the highest bidder.

Conclusion

This exploit brings up the interesting thought of educating users to how interfaces conduct their primary routines. Potentially, the only way the users could be warned of the fact that this is a scam would be through the fact that iTunes never asks for users to accept a Terms of Service update through a Safari window. This proof of concept was done in only a few hours but could easily be made almost undetectable through the use of an app slipping through the approval process at Apple or just even more advanced and malicious Javascript and CSS. While this was simply a harmless proof of concept, this could easily be put into the wild and start showing up in spam messages almost overnight.

View the proof of concept here.

Share/Save

According to this research paper, its pretty easy.

Srdjan Capkun, an assistant professor of computer science in the system security group at ETH Zurich in Switzerland, who led the work, says he was inspired to investigate the security of keyless entry and start systems after buying a car that had one. Capkun and Aurélien Francillon and Boris Danev, both researchers in the same institution, examined 10 car models from the eight manufacturers. They were able to access all 10 and drive them away by intercepting and relaying signals from the cars to their wireless keys. While they could relay the signals from the key back to the car as well, usually they did not need to because the key transmits its signals up to around 100 meters. The attack works no matter what cryptography and protocols the key and car use to communicate with each other.

Normally, when a wireless key is within a few meters of the right car, it detects a low-powered signal that causes it to issue a command that opens the car enable the ignition. The researchers used a pair of antennas to transmit these signals from the car to the key when the key was farther away, tricking the car into opening without the ordinary authorization. One antenna needs to be very close to the car, and one needs to be within eight meters of the key.

The researchers came up with two versions of the attack. In one, they ran a cable from near the car to near the key and used it to transmit the signals. They conducted the other wirelessly. Francillon says that the materials for the wired attack cost about $50, and those for the wireless attack cost between $100 and $1,000, depending on the electronic components used.

Share/Save

Super logoff

Mikalah uses Facebook but when she goes to log out, she deactivates her Facebook account. She knows that this doesn’t delete the account – that’s the point. She knows that when she logs back in, she’ll be able to reactivate the account and have all of her friend connections back. But when she’s not logged in, no one can post messages on her wall or send her messages privately or browse her content. But when she’s logged in, they can do all of that. And she can delete anything that she doesn’t like. Michael Ducker calls this practice “super-logoff” when he noticed a group of gay male adults doing the exact same thing.

Mikalah is not trying to get rid of her data or piss of her friends. And she’s not. What she’s trying to do is minimize risk when she’s not present to actually address it. For the longest time, scholars have talked about online profiles as digital bodies that are left behind to do work while the agent themselves is absent. In many ways, deactivation is a way of not letting the digital body stick around when the person is not present. This is a great risk reduction strategy if you’re worried about people who might look and misinterpret. Or people who might post something that would get you into trouble. Mikalah’s been there and isn’t looking to get into any more trouble. But she wants to be a part of Facebook when it makes sense and not risk the possibility that people will be snooping when she’s not around. It’s a lot easier to deactivate every day than it is to change your privacy settings every day. More importantly, through deactivation, you’re not searchable when you’re not around. You really are invisible except when you’re there. And when you’re there, your friends know it, which is great. What Mikalah does gives her the ability to let Facebook be useful to her when she’s present but not live on when she’s not.

Wall scrubbing

Shamika doesn’t deactivate her Facebook profile but she does delete every wall message, status update, and Like shortly after it’s posted. She’ll post a status update and leave it there until she’s ready to post the next one or until she’s done with it. Then she’ll delete it from her profile. When she’s done reading a friend’s comment on her page, she’ll delete it. She’ll leave a Like up for a few days for her friends to see and then delete it. When I asked her why she was deleting this content, she looked at me incredulously and told me “too much drama.” Pushing further, she talked about how people were nosy and it was too easy to get into trouble for the things you wrote a while back that you couldn’t even remember posting let alone remember what it was all about. It was better to keep everything clean and in the moment. If it’s relevant now, it belongs on Facebook, but the old stuff is no longer relevant so it doesn’t belong on Facebook. Her narrative has nothing to do with adults or with Facebook as a data retention agent. She’s concerned about how her postings will get her into unexpected trouble with her peers in an environment where saying the wrong thing always results in a fight. She’s trying to stay out of fights because fights mean suspensions and she’s had enough of those. So for her, it’s one of many avoidance strategies. The less she has out there for a jealous peer to misinterpret, the better.

I asked Shamika why she bothered with Facebook in the first place, given that she sent over 1200 text messages a day. Once again, she looked at me incredulously, pointing out that there’s no way that she’d give just anyone her cell phone number. Texting was for close friends that respected her while Facebook was necessary to be a part of her school social life. And besides, she liked being able to touch base with people from her former schools or reach out to someone from school that she didn’t know well. Facebook is a lighter touch communication structure and that’s really important to her. But it doesn’t need to be persistent to be useful.

Two very excellent ideas for reducing your risk online. Both do it through minimizing the available attack surface. One does it proactively (denying others the ability to post) while the other does it retroactively (thwarting historical attacks). Both approaches have merit and could be very useful if you are concerned with how your digital presence might be used or misused in your absence.

Share/Save

Share/Save

Share/Save

Share/Save

Here’s an excellent article on the use of biometrics in security system. Here are some highlights.

Intro

Authentication of a person is usually based on one of three things: something the person knows, such as a password; something physical the person possesses, like an actual key or token; or something about the person’s appearance or behaviour. Biometric authentication relies on the third approach. Its advantage is that, unlike a password or a token, it can work without active input from the user. That makes it both convenient and efficient: there is nothing to carry, forget or lose.

Some problems

The downside is that biometric screening can also work without the user’s co-operation or even knowledge. Covert identification may be a boon when screening for terrorists or criminals, but it raises serious concerns for innocent individuals. Biometric identification can even invite violence. A motorist in Germany had a finger chopped off by thieves seeking to steal his exotic car, which used a fingerprint reader instead of a conventional door lock.

Another problem with biometrics is that the traits used for identification are not secret, but exposed for all and sundry to see. People leave fingerprints all over the place. Voices are recorded and faces photographed endlessly. Appearance and body language is captured on security cameras at every turn. Replacing misappropriated biometric traits is nowhere near as easy as issuing a replacement for a forgotten password or lost key. In addition, it is not all that difficult for impostors to subvert fingerprint readers and other biometric devices.

Research findings

The panel of scientists, engineers and legal experts who carried out the study concludes that biometric recognition is not only “inherently fallible”, but also in dire need of some fundamental research on the biological underpinnings of human distinctiveness. The FBI and the Department of Homeland Security are paying for studies of better screening methods, but no one seems to be doing fundamental research on whether the physical or behavioural characteristics such technologies seek to measure are truly reliable, and how they change with age, disease, stress and other factors. None looks stable across all situations, says the report. The fear is that, without a proper understanding of the biology of the population being screened, installing biometric devices at borders, airports, banks and public buildings is more likely to lead to long queues, lots of false positives, and missed opportunities to catch terrorists or criminals.

Share/Save

Here’s the abstract:

Unless your digital camera or camera equipped cellphone is more than fifteen (15) years old, the chances are good that any pictures taken with that device contain metadata; which describes the (who, what, where, when and how)conditions under which the picture was taken.  The metadata is stored with the picture in an image file, and goes everywhere the file is copied, uploaded ordownloaded.  This metadata is meant to help us, document the moment a picture was taken, and also to maintain the fidelity of edited or printed copies.  But as discussed in my article on Augmented Reality, once an image file containing metadata leaves your possession, there are a variety of ways in which that same metadata can be used against you.

So, just how dangerous is image file metadata?  In the past, there have been numerous discussion, examples and demonstrations of how much usefulinformation can be extracted from image files.  But publicly, nobody has admitted performing a risk assessment of image file metadata.  I suspect that such assessments already exist, but are probably classified as CUI (Controlled Unclassified Information).  And so, I have undertaken the task of performing aqualitative risk assessment to answer the question.

Share/Save

Here is my utility to check certificate information.

And if you are looking for a couple of certificates to use to try this tool out, here is a PKCS12 self-signed certificate. Or, you could use my handy self-signed PKCS12 certificate generator and make your own.

Special thanks to John Veldboom for his ColorPal app which helped me make the more appealing to the eye.

Share/Save

The central issue in the debate is this: Are we justified in calling any form of aggression carried out in a synthetic space such as the internet a “war”?

In my estimation Bruce Schneier brings up some very good points and concerns in his portion of the debate. Points and concerns that, as far as I could tell, were never really addressed by his opponents.

As attacks, specifically attacks likely carried out between government organizations, become more frequent settling the question of cyber warfare will only get more and more important.

Some questions worth considering are: Where are the lines between enemy combatants and non-combatants? Are there any “civilians” in a cyberwar? Should we give up trying to secure everyone and split off “critical” parts onto their own private network? What about the weapons of a cyberwar? Have we thought about what it means to consider information as a weapon in itself?

All of these questions have serious ramification in how we go about addressing the issues we face. And if we consider the issues to be important, how much more important are the terms and definitions that frame the issues? It is wise to not offer an answer or solution without first making sure one has the question or issue properly defined.

Here is the full IQ2 debate to help give you a good overview of the issue:

The Cyber War Threat Has Been Grossly Exaggerated from Intelligence Squared US on Vimeo.

Share/Save