Automotive Security Holes

March 14, 2011

Researchers at UCSD and University of Washington have released a paper on finding remote vulnerabilities in automotive computer systems. Though the simplest method is still to use the automotive data interface, there are also exploitable holes in the cellular network interface, bluetooth network interfaces, and even the car stereo system.

From the article:

But their most interesting attack focused on the car stereo. By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse. When played on the car’s stereo, this song could alter the firmware of the car’s stereo system, giving attackers an entry point to change other components on the car. This type of attack could be spread on file-sharing networks without arousing suspicion, they believe. “It’s hard to think of something more innocuous than a song,” said Stefan Savage, a professor at the University of California.

Adding computers to things also adds security implications. It’s too bad that this is not better understood in the world of product development.

Secondhand Data

March 14, 2011

The State of New Jersey very nearly auctioned off dozens of computers containing sensitive data – and they almost certainly have done so in the past. This was the first time that the state comptroller’s office thought to look at the disposition of the equipment that was to be auctioned.

If your company is looked to get rid of old equipment, it is imperative that you check it for data first. This includes desktops and laptops, of course, but also devices like networked printers or fax servers that may contain a hard drive. For wiping data and leaving the drive usable by the buyer, I recommend DBAN. If that drive doesn’t need to be usable in the future, I suggest one of these, or perhaps a giant hammer.


Disabling GSM Phones With SMS

March 11, 2011

Researchers at CanSecWest gave a presentation this week on disabling various GSM phones using only SMS messaging. OpenBSC, an open source toolkit, was used to build a custom GSM network and the SMS messages were generated using it. Phones could be frozen, rebooted, locked, even completely bricked.

From one of the comments on the article:

It’s actually pretty well known –has been known for a while, too– that handsets are mostly tested against the few types of base stations Out There and, er, that’s it. Malicious input checking? Never needed; all the base stations are made by just a few manufacturers, right? Right?

Well, that’s what OpenBSC changed. Phones are still back where computers were back in the eighties. And now we can poke at them. There’s more where this came from. Far more.

The Current State of Cyberwar

March 9, 2011

An excellent article in the CS Monitor, discussing the current state of cyberwar and how it differs from conventional warfare and its doctrines. Not a lot of new material for those of us who work in the field, but an excellent summation for the layman.

Wells Fargo BYOH

March 8, 2011

At the end of January, I wrote about the current trend in allowing users to bring their own hardware into an enterprise environment. Some companies are allowing personally owned smartphones and tablets, for example, to connect to their enterprise network. This both makes employees happy and saves the company money.

Other companies are not allowing this. Wells Fargo, for one.

From the article:

“I carry two phones. One for personal, and one for work,” says Martin Davis, executive vice president and head of Wells Fargo’s technology integration office. “I’ve got two iPads in my briefcase, for personal and work. We keep it separate.”

I like the way he thinks.

SSD Self-Purging

March 7, 2011

Researchers from Australia have published a new paper indicating that forensic tasks will be a lot more difficult on solid-state drives than it is on standard hard drives. Routines built into the drive hardware to clean up unused space will alter data, without any human intervention at all. Worse yet, tools like “write blockers” are ineffective because the actions are internal to the drive and not initiated from the outside.

Evidence gathering is going to be a lot tougher until some new tools are developed.

Definition Monday: DDoS Attacks

March 7, 2011

Welcome to Definition Monday, where we define and explain a common technology or security concept for the benefit of our less experienced readers. This week: DDoS Attacks.

A Distributed Denial of Service Attack, often referred to as a DDoS Attack or simply a DDoS, is a more advanced version of a classic Denial of Service (DoS) attack. To explain what it is and how it works, it might be helpful to look at an analogous situation using the telephone network.

Imagine that you have a single phone line for your business, which is used to answer customer questions and take orders. Now imagine that someone has decided to render that phone line useless by calling it over and over again, and then hanging up when the call is answered. The phone is always ringing, but there is nothing useful on the other end. And worse, legitimate customers cannot get through to talk to you. The customer service provided by the phone line is being denied. Hence, denial of service attack.

Something similar is done in the IP world. A publicly accessible web server that provides information and ordering capabilities to your customers can be attacked by a rogue computer. Using a variety of techniques – I won’t get into the nitty-gritty technical details here, both because there are many different attacks and because they require some in-depth networking knowledge to understand – that server can be flooded with traffic that appears to be legitimate but is not. That means that genuine customer traffic is squeezed out; an actual customer cannot place an order, because the web server is inaccessible to him.

A classic DoS like this is pretty easy to mitigate. With the phone example, you would contact your telephone service provider and tell them to block the number that keeps calling you. Similarly, with the IP networking example, you would contact your web hosting provider or, if you’re hosting your own server, your Internet service provider and tell them to block all traffic from the IP address that is flooding your web server. The nefarious traffic, in either case, is blocked before it gets to your phone or your web server, and customers can connect again.

A Distributed Denial of Service Attack, on the other hand, is not so easy to cut off. (Just ask the people at WordPress, who got smacked with one a few days ago.)  The “Distributed” part of the name is the important distinction; rather than coming from a single source, this traffic is coming from all directions.

To go back to the phone example, imagine that your business phone is ringing off the hook – but that each call is coming from a completely different area code and phone number. The phone company will have great difficulty blocking the calls, especially in light of the fact that there is no way to do so without risking a block of legitimate calls as well.

In the IP networking world, a DDoS means that the traffic is coming from multiple sources simultaneously. This both makes it more difficult to block, as in the phone example, but more importantly it means that the hostile traffic is aggregated. Being attacked by a hundred compromised cable modem clients at 10Mb/s each means that there is a 1 Gb/s flood of traffic hitting your web server. An average botnet – that is, a centrally controllable group of compromised machines, often used to launch an attack like this – numbers in the tens of thousands to hundreds of thousands of computers. That’s a lot of traffic.

So how do you deal with a DDoS against a business resource? The first thing to do is make sure that you have some idea of the capabilities of your ISP or hosting provider – you should have, in writing, their policy on DDoS mitigation. There are steps that can be taken upstream to block this traffic, but the capability to do so varies by provider and is often closely correlated with price. You also want to make sure that your infrastructure is being properly monitored using an IDS or a SIEM or something similar, so that you are aware when a DDoS begins. And you need to have a backup plan for what happens if your web site or other Internet resource is unavailable for a short period. Maybe taking orders by phone isn’t completely antiquated after all.


Autorun Update

March 3, 2011

Microsoft is now pushing out Autorun Update from their Automatic Updates repository. This means that home and SOHO users who are patching their machines from Microsoft, without benefit of WSUS or other management platforms, will have their Autoplay restricted to CDs and DVDs. Since the autoplay of USB keys and other volumes was being badly abused by malware, this is a good thing – just keep it in mind for when your less computer savvy friends call to ask why they aren’t getting that neat popup menu any more when they put in the SD card from their camera.

This update affects WinXP and newer systems.

Applications Pulled from Android Market

March 2, 2011

Google has just removed 21 malicious applications from the Android market – they were all pirated knock-offs of other software, loaded with malware and intended to compromise the handset they were installed upon. Despite their quick action, 50,000 copies had already been downloaded.

Speculation on Thunderbolt

March 1, 2011

Thunderbolt, a new I/O interface, was introduced last week on the latest line of Macbook Pro portable computers. Physically, it uses a DisplayPort connector – and, if you like, it can be used as a simple DisplayPort interface to connect a monitor or projector to the computer. But it is also a successor to Firewire, capable of daisy-chaining up to five devices with a shared bus bandwidth of 10Gb/s.

It is also a successor to Firewire in that it is an unauthenticated peer-to-peer bus protocol (as distinct from a master-slave protocol like USB). This characteristic has been exploited in Firewire to forensically read the contents of RAM or attached disks from a live machine. While the details on Thunderbolt are rather sketchy right now, it’s easy to imagine that an adversary could rig a display device to surreptitiously harvest data from a client machine, while appearing to function normally.

Physical security is tricky to enforce. Most people are smart enough to avoid plugging a random USB drive or Ethernet cable into a machine that holds sensitive data – but they won’t think twice about using a projector in a classroom or at a conference. Thunderbolt adds a whole new class of peripherals into the “untrusted” group. Watching the professionals take a crack at this will be very interesting.