Is Computer Security an Illusion?
This year's Black Hat security conference, the 18th annual gathering of InfoSec (information security) geeks in Las Vegas overflowed with attendees and alarms. In a nutshell, the message was “Everyone is vulnerable.” Here are the most important takeaways, what you should know, and what you can do... |
Black Hat Security Conference Proves Everyone Is Vulnerable
Way back in 1999, Scott McNealy, then CEO of Sun microsystems, famously said "You have zero privacy anyway… get over it." Pundits at the time harshly criticized his remarks. But to a large degree, he has been proven right. And now recent events have us wondering if computer security is an illusion as well.
Attendees of the 2015 Black Hat Security conference may have left thinking that every single one of us is as vulnerable as a newborn baby lying in the middle of a freeway. Six presentations demonstrated how easily bad guys can commandeer nearly a billion smartphones; inject malware via advertising (“malvertising”) into any connected device; cripple the global Internet routing system; infiltrate cloud services in undetectable ways; even “kill” living people and give “birth” to non-existent people.
Android has two major flaws that can give bad buys total control of a device whose phone number they know. I wrote about the “Stagefright” vulnerability last month. A cunningly crafted MMS message sent to a phone can open a security hole through which malware can be introduced. “Only” 95% of Android devices are vulnerable to it. Google has issued a patch, but don’t hold your breath waiting for your phone service provider to push it out to your phone. Your best defense is to disable auto-opening of multimedia messages. (Google for instructions on how to turn off the "auto-retrieve" option for MMS messages on your phone.)
Another flaw called “Certifi-gate” was described by Check Point researchers at Black Hat and in a Check Point blog post. It involves multiple authentication failures in programming interface built into all versions of Android, to give tech support access to a phone’s settings. Any of the flaws can allow a hacker to impersonate legitimate tech support and gain total control of a device.
Phone manufacturers and service providers often install their homebrewed mobile Remote Support Tools (mRSTs) on devices shipped to customers. Each mRST is different but uses the flawed API. Because there are so many different mRSTs out there, it will be exceptionally difficult to plug this hole. Check Point has provided a free tool to scan your Android device for this vulnerability. Check Point’s blog post, linked above, suggests other ways to mitigate this risk, i.e., disable any mRST if you can, avoid untrusted apps, bug your phone’s maker for patches.
More Bad News...
Bad guys have long hidden malware in poorly secured Web sites. Now they’re exploiting cloud services such as DropBox, Google Drive, etc., to create “man in the cloud” exploits that go undetected by anti-malware software that only monitors users’ local devices. While your login credentials may be secure, “synchronization tokens” used by all such services are vulnerable to manipulation that can give attackers the power to inject malware into end users’ devices. The research paper detailing this exploit, written by Imperva, is geeky but worth reading. Basically, the onus is on cloud service providers to plug this hole.
Businesses using Windows Server Update Services may be surprised to learn that any low-privilege user can install software as if it was part of a Windows Server update. This exploit works only if the server is not using SSL encryption, but it turns out that’s the default. Server admins can enable SSL encryption to close this hole, and thank UK-based Context Information Security for discovering it.
My favorite Black Hat discovery is “How to ‘kill’ anyone and give birth to a virtual baby.” That’s not the presentation’s title but a good description of what Australian InfoSec geek Chris Rock shared at Black Hat in this interview with the Christian Science Monitor.
You know how easy it is to sign up for an email newsletter? Incredibly, it’s nearly that easy to impersonate a doctor and a funeral director in Australia, Canada, and the good ol’ USA. You need only the license numbers of any random doctor and undertaker, and those are public records. It took Rock five days to figure out how to do it, but only ten minutes to actually do it online.
He can now issue a death certificate for any living person in several countries, which creates even more havoc for a victim that having his or her identity stolen. The Social Security Administration mistakenly adds 14,000 American to its “death registry” each year; CNN reported on the impact that had on some victims.
On the flip side is the ability to create a false birth certificate. Then you can obtain a bogus Social Security Number, driver’s license, and other identity documentation. The fake ID can be used for credit fraud, drug dealing, illegal immigration, and a whole lot more criminal activity. If the non-existent person attracts too much law enforcement attention, just “kill” him or her off and make a new virtual baby.
The pace of change is accelerating, and it's bewildering at times. Concepts like personal privacy and computer security are morphing and mutating. My best advice is do your best to stay aware of these changes, and take whatever measures you can to minimize the problems.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 17 Aug 2015
| For Fun: Buy Bob a Snickers. |
 |
Prev Article: Failed Windows Updates Causing Slowdowns? |
The Top Twenty |
Next Article: Best Ebook Readers of 2015 |
 |
Post your Comments, Questions or Suggestions
|
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Is Computer Security an Illusion? (Posted: 17 Aug 2015)
Source: https://askbobrankin.com/is_computer_security_an_illusion.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Is Computer Security an Illusion?"
Posted by:
Robert Bailey
17 Aug 2015
Thanks Bob. The above is interesting and scary at the same time. Thanks for making us all aware of the dangers out there.
Posted by:
clyde reed
17 Aug 2015
Yes all computer security it is an Illusion I do not open any email that I do not know, just delete them, I have no cell phone so don't have to worry
I do not go to a web site I do not know I never give out personal info to any one I destroy all papers with my address on it catalogs also
Posted by:
David
17 Aug 2015
Bob, I am a digital freak and love gadgets, but I am beginning to wonder if (until all of these issues are "fixed") the dangers and hassles are really worth the grief. I am considering becoming a virtual hermit.
Posted by:
Natalie
17 Aug 2015
Hi Bob--
My iMac was infected with malware via the Internet, preventing me from accessing anything online. A pop-up came up which said "Warning--your computer is infected--call this number immediately!"
I called and the responder said his company could fix the problem in two hours--for $199. And that Apple would charge me $350. Of course I was at least smart enough to hang up and call Apple--who guided me to get rid of the problem through a no-charge 10 minute phone call.
Am I wrong to suspect that the company who offered the expensive fix had a hand in circulating the malware?
EDITOR'S NOTE: Seems very likely!
Posted by:
Russ
17 Aug 2015
"Computer Security" is am oxymoron!
Posted by:
RandiO
17 Aug 2015
Your subject line is a trick question >> I just know it!
Many think that "Computer Security" is an oxymoron to begin with.
But I am not certain what to call it when those three words are used in the same sentence (or in the same subject-line posed as a question).
Whether we single out one OperatingSystem (such as Android) over any other OS as insecure is not fair!
Especially since any computer/OS that is connected to the internet, by definition, is insecure.
Thus (and IMHO), your subject-line has the proper ingredients for makings of a placebo elixir.
Posted by:
RandiO
17 Aug 2015
[Apologies for double posting:]Based on the posts herein; we have to admit that the internet is quite an interesting, alluring and an educational place to hang-around in, although it is full of traps and nasties! But short of putting an HazMat suite on and hiding in our fall-out shelters, we can imitate the survivalists. Instead of never visiting websites we don't know or never opening an email we don't recognize or thinking to pay ransom when our machines are hijacked: I think it would be the best defense to keep an (up-to-date) image/clone of our OperatingSystem handy, so that we don't miss all the fun this place we call internet has got to offer. I use Acronis TrueImage and it makes me feel invincible at times!
Posted by:
Robert Kemper
17 Aug 2015
Thanks Bob, for a much needed and up to date article on security.
Posted by:
Ralph Sproxton
17 Aug 2015
Hi, Bob.
You say:
"Google has issued a patch, but don’t hold your breath waiting for your phone service provider to push it out to your phone."
My phone is a Google Nexus 5. I'm in a better position for updates with a Google phone, since I don't have to deal with any middlemen -- right?
p.s. I'm still having an intermittent "Eminent Domain" problem, although not at the moment.
Posted by:
Deborah
17 Aug 2015
I got a computer, I put firefox on it. A month later I added 2 or 3 add-ons. My spyware programs and CCleaner are having a hard time finding things to delete.
I am not interested in posting. I think it is important that people get the right add-ons as soon as they get a computer. It makes a world of difference.
Thanks for your newsletter.
Deb
Posted by:
Richard Dengrove
18 Aug 2015
I was told by an MIT geek in 1972 that, theoretically, all computers could be hacked. Long before the web and he was talking about mainframes. I guess the best I can do is protect against probable threats.
Posted by:
Jack
18 Aug 2015
If I got virtually "killed" through hacking, would I still have to pay taxes?
Posted by:
Ken Driver
18 Aug 2015
It would seem the only recourse is to join the Amish and live off the grid.
Posted by:
Calvin
20 Aug 2015
@ Ken Driver - don't kid yourself, some of the Amish around her have the highest end cell phones and internet access. They are opposed to any physical manifestation of connection to the outside world. Cell phone data plans circumvent the physical signs that they are doing something that officially they are not supposed to. So modern technology has even subverted some of them.