Blogger World: hacker

Wednesday 17 December 2014

Basic Security Tips for Bloggers and Begginers

Wednesday 17 December 2014 - 0 Comments

Recently, Mat Honan’s frightening account of how hackers destroyed his digital life has been making rounds online, scaring nearly everyone who reads it.

Basically, Honan’s digital presence was all but destroyed after hackers managed to delete his Google Account, wipe his iPhone, iPad and Macbook and deface his Twitter account. The reason for the attack, according to one of the people behind it, was “lulz” and to play around with a three-character Twitter name.

Honan’s position as senior reporter at Gizmodo did nothing to provoke nor protect him from the attack. Though he acknowledges his mistakes the affair, most sharply his failure to backup critical data (which everyone should have), his sharpest barbs were for Amazon and Apple, who’s security policies made the hack possible.

Though he acknowledges his mistakes the affair, most sharply his failure to backup critical data (which everyone should have), his sharpest barbs were for Amazon and Apple, who’s security policies made the hack possible.

Though Amazon and Apple have responded by updating their security policies, hopefully to prevent future attacks along the same vector, many have been wondering what they can do to strengthen their security online.
The truth is, no security is perfect and anyone who is a valuable enough target can be bit. But you can make yourself a more difficult target and someone who can not be trivially exploited and you can minimize the damage an attacker can do.
With that in mind, here are a few mostly common sense steps that can get you started to being more secure online.

Make or Write Smart Password Using Letter, Numerical, Upper & Lower Case:

A good password should be long, at least eight characters, easy to remember and contain a combination of lower case letters, upper case letters, numbers and symbols. Most importantly, it should not be a word found in the dictionary nor any variation of one.

Also, you should never reuse a password for more than one site and you should never write your passwords down.

If this sounds like a lot, it is. It’s too much for pretty much anyone to do without help.
One solution is to use a device known as a cipher to generate passwords on the fly. For example, you can look at the domain name of the site and generate a password based on it. Basically, to do this, you look at the site you’re at and create a hard-to-guess password from the domain.

For example, facebook might have a password of g1s@v3r$ if you use the cipher of looking at your keyboard and writing the first four letters of the domain “face” using the keys one to the right of the real ones and then breaking up the letters with the numbers 1-4 alternating with the shift function every other time. Look at your keyboard (US) if you are unclear.

Alternatively, you can also use services like LastPass to help you generate, store and automatically fill in passwords. However, these services are a trade off between random, difficult passwords and a new central point of failure. As long as the service itself is secure, you’re most likely fine.

Two Factor Authentication Attempt:

Matt Cutts at Google recommended this strongly on his blog and I agree.
Two factor authentication simply means that you need two forms of authentication to log into a site. However, they have to be two different forms (not simply two passwords).

One form, obviously, is your password (something you know) but the other is usually something you have. These days, your cell phone is the most likely thing as many services, such as PayPal and Google, will send you a text that you have to repeat to log in. Google also, has its own app for most phones and that’s how LastPass handles its two-factor authentication.

This is an incredibly powerful tool because, even if your password is compromised, which Honan’s attack shows it can be easily in some cases, your account is not. It’s very unlikely, barring drastic steps, someone is going to have both your cell phone and your password. One or the other is possible, even likely, but not both.

If your account offers two factor authentication, turn it on as soon as possible. It’s a very powerful step.

Personal Information:

A lot of sites will ask you to create backup security questions in case you forget your password. Common ones involve things such as your favorite pets name or the street you grew up on.
The problem is that many of these things can be trivially researched. However, you can beat this by simply lying on the questions.

After all, there’s no rule that you be honest, just that you remember your answer. If you’re asked for your favorite pet, give the name of your childhood imaginary pet. Ideally, your answers should be related enough to the questions to remind you of what you said, but far enough off base that it’s not trivially guessed.

Credit Card Common Sense Tips:

Credit cards are like passwords, ideally they should not be used more than once and should never be stored. As Honan’s attack showed, even if they aren’t used for financial gain, they can still be used to open up exploits into other accounts.

If you have a bank or a credit card company that will issue single-use credit card numbers, use them. They are immensely powerful. If you don’t, try to avoid storing your credit card numbers and especially about storing one number across multiple accounts.

It might be annoying to re-enter your credit card data every time you want to buy a book on Amazon, but it could be what saves you from a minor hack becoming a major one.

Bottom Line:

In the end, security is about the trade off between protection and convenience. Most of the things that make you more secure will also take up more of your time.

It’s really annoying to have to find your phone every time you want to log in to your gmail or you have to enter a complex password that’s difficult to guess. Life would be much easier if we didn't have to deal with those things.

But, of course, that isn't practical. The problem is that others don’t value your life, your privacy, your information or your work. They would happily destroy it all, whether it’s for profit, a vendetta or just “lulz”, there are individuals who will not think twice about destroying your world.

If you realize that and that no one is too unimportant to be a target, then it only makes sense to take precautions now. Today’s hassle may save you from tomorrow’s attack.

Friday 21 November 2014

How Attackers Can Use Radio Signals and Mobile Phones to Steal Protected Data

Friday 21 November 2014 - 0 Comments

Computers housing the world’s most sensitive data are usually “air-gapped” or isolated from the internet. They’re also not connected to other systems that are internet-connected, and their Bluetooth feature is disabled, too. Sometimes, workers are not even allowed to bring mobile phones within range of the computers. All of this is done to keep important data out of the hands of remote hackers.

But these security measures may be futile in the face of a new technique researchers in Israel have developed for stealthily extracting sensitive data from isolated machines—using radio frequency signals and a mobile phone.

The attack recalls a method the NSA has been secretly using for at least six years to siphon data in a similar manner. An NSA catalogue of spy tools leaked online last year describes systems that use radio frequency signals to remotely siphon data from air-gapped machines using transceivers—a combination receiver and transmitter—attached to or embedded in the computer instead of a mobile phone. The spy agency has reportedly used the method in China, Russia and even Iran. But the exact technique for doing this has never been revealed.

The researchers in Israel make no claims that theirs is the method used by the NSA, but Dudu Mimran, chief technology officer at the Israeli lab behind the research, acknowledges that if student researchers have discovered a method for using radio signals to extract data from hard-to-reach systems, professionals with more experience and resources likely have discovered it, too.

“We are doing research way behind people [like that],” he told WIRED. “The people who are doing that are getting a lot of money and are doing that [full time].”

Dubbed “AirHopper” by the researchers at Cyber Security Labs at Ben Gurion University, the proof-of-concept technique allows hackers and spies to surreptitiously siphon passwords and other data from an infected computer using radio signals generated and transmitted by the computer and received by a mobile phone. The research was conducted by Mordechai Guri, Gabi Kedma, Assaf Kachlon, and overseen by their advisor Yuval Elovici.

The attack borrows in part from previous research showing how radio signals (.pdf) can be generated by a computer’s video card (.pdf). The researchers in Israel have developed malware that exploits this vulnerability by generating radio signals that can transmit modulated data that is then received and decoded by the FM radio receiver built into mobile phones. FM receivers come installed in many mobile phones as an emergency backup, in part, for receiving radio transmissions when the internet and cell networks are down. Using this function, however, attackers can turn a ubiquitous and seemingly innocuous device into an ingenious spy tool. Though a company or agency may think it has protected its air-gapped network by detaching it from the outside world, the mobile phones on employee desktops and in their pockets still provide attackers with a vector to reach classified and other sensitive data.

The researchers tested two methods for transmitting digital data over audio signals but Audio Frequency-Shift Keying (A-FSK) turned out to be the most effective.

“[E]ach letter or character was keyed with different audio frequency,” they note in a paper released last week (.pdf) that describes their technique. “Using less than 40 distinct audio frequencies, we were able to encode simple textual data—both alphabetical and numerical. This method is very effective for transmitting short textual massages such as identifiers, key-stroking, keep-alive messages and notifications.

The data can be picked up by a mobile phone up to 23 feet away and then transmitted over Wi-Fi or a cellular network to an attacker’s command-and-control server. The victim’s own mobile phone can be used to receive and transmit the stolen data, or an attacker lurking outside an office or lab can use his own phone to pick up the transmission.

“With appropriate software, compatible radio signals can be produced by a compromised computer, utilizing the electromagnetic radiation associated with the video display adapter,” the researchers write. “This combination, of a transmitter with a widely used mobile receiver, creates a potential covert channel that is not being monitored by ordinary security instrumentation.”

The researchers note that the chain of attack “is rather complicated,” but it’s not beyond the skills and abilities already seen in advanced attacks conducted by hackers in China and elsewhere. Or by the NSA.

Generally the most common method for infecting air-gapped machines is a USB flash drive or other removable media. Once one air-gapped machine is infected, the malware can spread to other machines on an air-gapped network. Data can be extracted the same way, though this is more of a challenge. The malware stores stolen data on the machine until a flash drive is inserted, at which point data is copied to the drive. When the flash drive is then inserted into another computer that’s connected to the internet, the data gets transmitted back to the attackers’ command-and-control center. This method takes time, however, since it requires the attacker to wait until someone inserts a flash drive into the air-gapped machine and carries it to an internet-connected machine.

AirHopper, however, doesn’t require repeated action like this once the malware is installed. An attacker only needs to get their malicious transmitter code onto the targeted machine and then either install the malicious receiver component on the victim’s mobile phone or use the attacker’s own mobile phone in the vicinity of the computer to receive the data and transmit it to the attacker’s command-and-control server. The malware can be programmed to store siphoned data on the infected machine for later transmission at specified hours or intervals. The researchers also devised methods for hiding the data transmission on the targeted machine to avoid detection, including transmitting data only when the monitor is turned off or in sleep mode and altering the FM receiver on the phone so that there is no audible tone when data is transmitted to it.

Although the distance for transmitting data from an infected computer to a mobile phone is limited—due to the limitations of the receiver in phones—attackers could use a stronger portable receiver, set up in a parking lot for example or installed on a drone flying overhead, to pick up data from greater distances.

There are other limitations, however. The proof-of-concept test allows for data to be transmitted at only 60 bytes a second—about a line of text per second—which limits the speed and volume at which attackers could siphon data. But Mimran notes that over time, a lot of sensitive data can still be extracted this way.