SMS, GPS, and Your Favorite Movie.
I have several sites that I get RSS feeds from, and as you might expect, many of them relate to security. Consequently, I see headlines that run the gamut from discussing sophisticated attacks on the computer CPU (Spectre, Meltdown, etc), to phishing attacks, to poor security in IoT devices. All of this becomes fodder for blogs and the security awareness training classes that I conduct for Ashton.
To me there are two types of attacks on computer users. There is the attack that they can’t control: a zero day exploit that requires a yet to be developed patch. This involves a bug in some software that allows an attacker access (with the developer being slow to fix the issue), or just a bad design that can be exploited from the outside. These types of issues leave the user pretty much at the mercy of manufacturers or require them to have enough technical savvy to be able to guard themselves until a fix is provided. Unfortunately, most users don’t have this expertise. At some companies, the IT department has that expertise and can provide assistance. Sometimes, even they are helpless.
The other type of attack is harder to defend against, and that is social engineering. There is a lot of discussion about how expecting users to be smart enough to protect themselves is not the right approach. The call is for software and systems to be smart enough to protect the users. If observation has taught me anything, it is that as long as people design anything, there will be mistakes made, corners cut, and bad decisions made, and the bad guys will exploit them. Even a basic level of security awareness will help people to avoid being taken advantage of and thus prevent the bad guys from gaining what they want.
The bad guys want information. Your information. They want your bank information, your identity, your health information; anything that can be monetized. Social engineering is how they try to get it. Let’s take a quick look at two ways your information gets stolen. This article discusses SMSishing, which is social engineering via text message. The TSB bank in the UK had a breach that was precipitated by a two stage attack. Phishing emails were sent out, and followed up by texts to those who responded. The two different contact methods lulled people into a false sense of security. If they had not been fooled by the email, they would not have received the texts and the attack would have stalled.
Brian Krebs has a website that covers a lot a security related issues and this article reinforces the old saying “Once it’s on the internet, it’s there forever”. Social media sites (Facebook) are rife with surveys that ask questions like “What was your first car?”. Unfortunately these questions are the same or similar to ones used for password resets on numerous websites. If you answer the survey with the same answers as your reset questions, you are publishing the necessary information for someone to steal your accounts. I have been recommending in class, as does Brian, that if you answer the reset questions, make up answers and just record them in your password manager (you do have one don’t you?) in case you ever need them. Once that information gets out there, it is not very hard for the bad guys to get their hands on it.
It is bad enough when someone comes after your information with a social engineering attack and actively tries to get your information, but it is far worse when your information can be harvested because it is being made available on the web without your knowledge.
This article relates the poor security that exists on children’s watches that are supposed to be a safety device. The watches have GPS capability that allows parents to find their children and even call them via the watch. The poor state of security on devices like this is summed up in this excerpt:
We demonstrated that anyone on the internet could:
- locate your child on a map in real time, such as at the play park
- call your child on their watch
- covertly snoop on both you and your child, listening to you both
- send messages to your child on the watch, appearing to be from you
- retrieve a photo of your child, plus their name, date of birth, gender, weight & height
This did not require advanced skill; it was well within the capability of an attacker with basic coding skills using only free tools.
The scary part of the article is the assessment that this weakness affected possibly 30,000 watches and possibly up to a million since the watches are sold rebranded with other names. Here again is an example of a good idea poorly implemented. What parent would not want the ability to communicate with a young child (these were aimed at sub teen children) and know where they are? Unfortunately, unless someone like the authors of the article does a security assessment, how are you to know if a device is secure or not? The sad answer is you can’t. What you can do is ask questions about the security of a given device. If you can’t get satisfactory answers, it is time to look for another device.
The idea of being connected and working electronically is here to stay. So are the bad guys. It is up to us as consumers of the electronics to do some homework before we jump on the bandwagon. We need to get educated about protecting our data because if we don’t, there are a lot of people out there who will be happy to relieve us of it and make use of it to our detriment.