Monthly Archives: May 2010

Then: catching the common cold. Now: catching a computer cold

Computer viruses are not exactly a new phenomenon. Neither are human viruses. But don’t you think it would be a little strange if a computer came down with the sniffles, or if you contracted a trojan (and I’m not talking about the latex kind…)? Well, your PC isn’t likely to be allergic to pollen or pet dander any time soon (although you should clean the fan every few months just to be sure), but it is now possible for you to contract a computer virus. Thanks to the wonderful word of microchips and RFID, everything from your Grandma Rose’s pacemaker to your ID badge at work could become infected.

When you think about it, it’s not really all that mind-boggling to think that these little gadgets and gizmos can get infected. They are, after all, just other forms of computers and communication. I’m amazed it’s taken this long for someone to figure this out, actually.

Mark Gasson is a researcher at the University of Reading, and he has become the first person to be infected with a computer virus. He did so by implanting a tiny RFID chip in his hand, and then writing a malicious code to put on it. He then scanned it with the reader typically used for the ID badges at the college. When the reader reads his chip, the virus is transferred to computer database that controls which employees get access to which parts of the building/campus. When other people scan their badges, those badges are now infected and will pass the virus off to all other RFID scanners it comes in contact with. Not only that, but it could also be used to collect and transfer data from the employees’ accounts and give it to Gasson whenever he scans his card. Ultimately, Gasson could end up with access to every locked door on the premises.

This is a relatively harmless implementation, but it shows that wireless implants and computers can be used infect each other. As things like pacemakers become more evolved, it could be possible to infect them, as well as a host of other devices and implants in the body. Thinking about the possibility of a denial-of-service attack on a pacemaker or brain stimulator doesn’t exactly brighten my day…

As an Information Security major, I am really hoping this threat doesn’t amount to anything, because it seems like it would be a royal pain in the butt to deal with. Of course, as the threats become more and more real, I have no doubt that we will find replacements for things like RFID chips/readers, and find ways to secure the chips that are implanted in our bodies/clothes/pets/phones/EVERYTHING. I think it will be really interesting to see how this all pans out in the coming years. I also think that releasing this story and information was a stupid idea. It doesn’t really benefit the general public, and opens up a whole new world of possibilities for would-be hackers who may or may not have ever thought of it, or at least not for a while.

This is where I hope that none of our readers are evil-minded code-monkeys, because if they are, I just made the problem worse. Sorrrryyyyyyy. ūüėČ

-Mike

Philosophy on Computers

Today I thought ¬†I would do something a little different here. ¬†I have been in front of a computer for over half of my life, which would be around 11 years or so. ¬†The amount of time I spend on computers is astounding, probably around 6 or 7 hours on average per day. ¬†I work on computers, I fix computers, and I play on computers. ¬†Sometimes I wonder if I am spending too much time on computers and not enough with other¬†activities, its like an addiction that you can’t control. ¬†Luckily I have other hobbies other than computers, which gives me a break when I feel like they are ruling over my life too much.

The reason why I bring all of this up is because I wanted to talk about how computers are both good and bad in society.  They are good due to the higher technology that we have gained by building faster and better computers, they run most of the world and without them we would be a much more primitive society.  On that same token though I believe they are also evil because of our dependence on them, they make us rely on hardware other than our own.  One computer can do many more calculations than a human brain can do in one second, as well as a much smaller error margin when performing certain tasks that both humans and computers can perform.  This last bit is mainly a plus, but again it puts the computer first and the human second, which means that more jobs will be taken out by computers as time rolls on.

It is amazing how the technology of the computer has progressed through the years, faster than anyone could imagine.  Just ten years ago we though that we would never need more than 2GB of memory, now we have computers with over 20GB.  The future of computers is uncertain, they will of course become more and more powerful as well as becoming smaller and smaller, but as for the new applications of computers, more and more pop up every day.  It is an ever expanding pool of possibility out there, but hopefully we will never get to the point where computers are creating computers, as well as maintaining and upgrading.  This would rid the need for technicians, and human interaction between the machine and its user.

Tabjacking

It is pretty common through the course of using the Internet and e-mail to run across phishing scams and fake web pages attempting to fool you into giving away your user name and passwords. Some are done better than others, and even the most careful users can fall in the trap.

There is a new type of vulnerability I want to help spread the word about. I feel that being educated on these types of phishing tactics is the only real way to prevent them from effecting you. And, while this type of scam is still not heavily exploited… the way in which it operates is ingenious, and could potentially cause massive amounts of trouble for PC users.

This new type of phishing tactic is being referred to as TagJacking. With the newest generations of browsers (IE 8, FireFox, Opera, Chrome) the new tab button is being used heavily as an easy alternative to opening new windows and increasing multitasking capabilities. By having so many open tabs this exploit is banking on the fact that a user may not remember that they have opened, for example, their bank account in another tab.

The site hosting the exploit has the ability to change the ‘favicon’ (the little picture by the site’s name that helps users identify it, like a Bank of America logo), the site’s title (to something like “Bank of America | Home | Personal”), and the site’s contents… to look almost identical to a Bank of America log on page. White this would be one hard to pull off phishing attempt (considering the amount of security, and visual pass-phrases banks including BoA use to protect their clients) there are other examples that would cause just as much trouble for users.

Lets look at this example to see how nasty this variant of phishing could be:

Imagine logging into your web based e-mail account. Over the course of 10 minutes it is possibly you may have opened 5 separate tabs for individual messages, or links you’ve encountered in an email from a friend. Unfortunately, one of the pages you went to while checking your email contains code that will attempt to fool you. When you’re not looking, and busy with another tab, the page will instantly transform without notice to look like your e-mail’s log on screen. You were already in your email… so it is realistic that perhaps your session was timed out, and you do in fact need to re-log in. It is this feeling of security between tabs that makes this attack so dangerous.

There is a proof of concept located at: http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/

This page will transform after you look away from it into a picture of the gmail log in screen (to help show how the attack works, not to try to solicit information).

While this attack mode is still in it’s infancy, it is good to recognize that it could cause problems in the future, and should be on the look out.

-Steve, for TTC

Street View = Wireless View? Oh boy

Umm. Hi. Google? WHAT THE HELL ARE YOU DOING?

Man, I wish I could end my post right there. It sums everything up so beautifully. Allow me to explain.

Back on Friday, May 14th, Google announced on its blog that it has been inadvertently collecting data from unsecured wireless networks as its Street View cars have roamed the streets of the world for the past 4 years. At first Google said the only things they¬† were actually collecting were SSIDs (the names of the wireless networks) and MAC addresses of the wireless routers. Well…they lied. Apparently they also managed to collect some 600 gigabytes of transmitted data in more than 30 countries. By today’s standards, 600 GB isn’t an astronomical amount of data, but it’s about 600 GB more than I would like them to be collecting. And for some reason I don’t think I’m alone in thinking that. Thankfully I secured my wireless network. But did you?

Google says that it has not used any of the data for anything, nor will it show up in their search engine, or elsewhere. Can we believe that, though? Once Google was aware of what was happening, it segregated the collected data onto another network, which was then “disconnected to make it inaccessible.” Inaccessible to who? My goldfish? Call me crazy, but I feel like if something can be disconnected, it can probably be reconnected. Especially by the same people who disconnected it. I don’t know. That’s just a hunch. ūüėČ

The obvious question, of course, is how did this even happen in the first place? Turns out there was a slight “oversight”. I can’t possibly explain it any better than Google did themselves, so here you go:

“In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data. A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google‚Äôs Street View cars, they included that code in their software‚ÄĒalthough the project leaders did not want, and had no intention of using, payload data.”

Okay. More questions for you, Google: Why did you want to collect SSID and MAC info to begin with? I think my favorite line is “code that sampled all categories of publicly broadcast WiFi data.” What purpose could this possibly serve other than to collect payload data from the unsecured networks? And how do you not know what your code is really doing? Either you suck at testing your own products, or you suck at lying. Pick one, and explain yourself.

Now, Google is (at least in theory) working to get rid of the data it has collected. Data from Ireland has apparently been deleted, with confirmation from a third-party. Again, here is the link to Google’s blog, and you will see at the top there is an update regarding this matter. Woah. 1 country has been taken care of in 10 days, and counting. Let’s do the simple math here. There are over 30 countries involved, so at a minimum of 10 days per country, we’ll still be dealing with this next year. Not exactly a blistering pace. That should give them plenty of time to fabricate a nice little story for us while they exploit the data as much as possible. Way to hustle, Google.

WHAT THE HELL ARE YOU DOING?

-Mike