Is Computer Security an Illusion?
This year's Black Hat security conference, the 18th annual gathering of InfoSec (information security) geeks in Las Vegas overflowed with attendees and alarms. In a nutshell, the message was “Everyone is vulnerable.” Here are the most important takeaways, what you should know, and what you can do...
Black Hat Security Conference Proves Everyone Is Vulnerable
Way back in 1999, Scott McNealy, then CEO of Sun microsystems, famously said "You have zero privacy anyway… get over it." Pundits at the time harshly criticized his remarks. But to a large degree, he has been proven right. And now recent events have us wondering if computer security is an illusion as well.
Attendees of the 2015 Black Hat Security conference may have left thinking that every single one of us is as vulnerable as a newborn baby lying in the middle of a freeway. Six presentations demonstrated how easily bad guys can commandeer nearly a billion smartphones; inject malware via advertising (“malvertising”) into any connected device; cripple the global Internet routing system; infiltrate cloud services in undetectable ways; even “kill” living people and give “birth” to non-existent people.
Android has two major flaws that can give bad buys total control of a device whose phone number they know. I wrote about the “Stagefright” vulnerability last month. A cunningly crafted MMS message sent to a phone can open a security hole through which malware can be introduced. “Only” 95% of Android devices are vulnerable to it. Google has issued a patch, but don’t hold your breath waiting for your phone service provider to push it out to your phone. Your best defense is to disable auto-opening of multimedia messages. (Google for instructions on how to turn off the "auto-retrieve" option for MMS messages on your phone.)
Another flaw called “Certifi-gate” was described by Check Point researchers at Black Hat and in a Check Point blog post. It involves multiple authentication failures in programming interface built into all versions of Android, to give tech support access to a phone’s settings. Any of the flaws can allow a hacker to impersonate legitimate tech support and gain total control of a device.
Phone manufacturers and service providers often install their homebrewed mobile Remote Support Tools (mRSTs) on devices shipped to customers. Each mRST is different but uses the flawed API. Because there are so many different mRSTs out there, it will be exceptionally difficult to plug this hole. Check Point has provided a free tool to scan your Android device for this vulnerability. Check Point’s blog post, linked above, suggests other ways to mitigate this risk, i.e., disable any mRST if you can, avoid untrusted apps, bug your phone’s maker for patches.
More Bad News...
Bad guys have long hidden malware in poorly secured Web sites. Now they’re exploiting cloud services such as DropBox, Google Drive, etc., to create “man in the cloud” exploits that go undetected by anti-malware software that only monitors users’ local devices. While your login credentials may be secure, “synchronization tokens” used by all such services are vulnerable to manipulation that can give attackers the power to inject malware into end users’ devices. The research paper detailing this exploit, written by Imperva, is geeky but worth reading. Basically, the onus is on cloud service providers to plug this hole.
Businesses using Windows Server Update Services may be surprised to learn that any low-privilege user can install software as if it was part of a Windows Server update. This exploit works only if the server is not using SSL encryption, but it turns out that’s the default. Server admins can enable SSL encryption to close this hole, and thank UK-based Context Information Security for discovering it.
My favorite Black Hat discovery is “How to ‘kill’ anyone and give birth to a virtual baby.” That’s not the presentation’s title but a good description of what Australian InfoSec geek Chris Rock shared at Black Hat in this interview with the Christian Science Monitor.
You know how easy it is to sign up for an email newsletter? Incredibly, it’s nearly that easy to impersonate a doctor and a funeral director in Australia, Canada, and the good ol’ USA. You need only the license numbers of any random doctor and undertaker, and those are public records. It took Rock five days to figure out how to do it, but only ten minutes to actually do it online.
He can now issue a death certificate for any living person in several countries, which creates even more havoc for a victim that having his or her identity stolen. The Social Security Administration mistakenly adds 14,000 American to its “death registry” each year; CNN reported on the impact that had on some victims.
On the flip side is the ability to create a false birth certificate. Then you can obtain a bogus Social Security Number, driver’s license, and other identity documentation. The fake ID can be used for credit fraud, drug dealing, illegal immigration, and a whole lot more criminal activity. If the non-existent person attracts too much law enforcement attention, just “kill” him or her off and make a new virtual baby.
The pace of change is accelerating, and it's bewildering at times. Concepts like personal privacy and computer security are morphing and mutating. My best advice is do your best to stay aware of these changes, and take whatever measures you can to minimize the problems.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 17 Aug 2015
|For Fun: Buy Bob a Snickers.|
Failed Windows Updates Causing Slowdowns?
The Top Twenty
Best Ebook Readers of 2015
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Is Computer Security an Illusion? (Posted: 17 Aug 2015)
Copyright © 2005 - Bob Rankin - All Rights Reserved