Archive for RB

| September 25, 2012
Comments Off on IVR Security Threats

IVR Security Threats

IVR Security ThreatsOn his excellent VoIP/UC Security Blog, Mark Collier points to some interesting work on Interactive Voice Response (IVR) security threats by Rahul Sasi. IVR systems are used in phone banking, call centers, hospitals, and corporations mainly for information retrieval and account management via phone lines. As a security researcher for iSIGHT Partners, Sasi is doing research on a variety of security vulnerabilities that may be present in IVRs.

The author says that IVR security threats are present in IVR systems used for financial transactions. Sasi presented some of his findings at Hack In The Box Malaysia 2011 and the video is available here. Collier summarizes the IVR security threats in his blog:

  • Telcom closetInformation harvesting – for account numbers and PINs, guessing a static 4-digit PIN for a range of account numbers. The odds of a hit are pretty good. Some IVRs lock the account but reset at midnight.
  • Injection – through the input of spoken words (“test”, “.”, “com”, etc.), supporting VXML servers can be fingerprinted, affected, and possibly even crashed.
  • DTMF DoS – by entering a large number of tones or adjusting frequency/tone duration, it may be possible to affect or crash DTMF processing software in IVRs. This could be particularly nasty, as DTMF processing is very common.

Collier concludes that since most of these IVR attacks simply involve the transmission of DTMF, they are very easy to execute and automate. These vulnerabilities could impact any IVR, whether it is TDM, VoIP, the latest UC.

rb-

None of these issues seem new to me, they are just new applications of old attack vectors.

  • Ma Nell telephone operatorsWho remembers blue boxes or the most famous phone phreak John “Captain Crunch” Draper.
  • Info harvesting is a typical technique in web 2.0. Attackers successfully harvest personal info from websites like LinkedIn all the time.
  • Does VXML injection = SQL injection? time for the programmers to step up.
  • DTMF DOS can lead to a buffer-overflow, are your systems patched? 

All in all these vulnerabilities create IVR security threats.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| September 22, 2012
Comments Off on SmartPhone Zombie Apocalypse

SmartPhone Zombie Apocalypse

SmartPhone Zombie ApocalypseIf you have a smartphone, online criminals may soon have your number. Smartphone malware is getting increasingly sophisticated, and MIT‘s Technology Review reports that a security researcher has created software that turns a smartphone into a “zombie” that can be controlled remotely. The blog says Georgia Weidman created the program, which controls a Google (GOOG) Android phone via short message service (SMS) to bring about a smartphone zombie apocalypse.

malicious software on mobile phonesOnce only theoretical, real-world cell-phone viruses are becoming more common. The article reports the most famous was a scam in Russia that tricked users into installing malicious software on Android phones and using the SMS functionality to send messages to a number that charged a premium fee. In late 2010, a Chinese virus for Android devices stole personal data according to the article.

Botnets have become a staple of Internet crime. They can be used to attack other systems, host attack tools, send spam, or just steal data. The blog says this type of attack has been rare with mobile devices, but that seems to be changing. “We have been taking down Internet botnets for years now, but there is not as much understanding [of telecom networking],” Ms. Weidman says. “I definitely see criminals going more and more toward using the telco’s network.”

zombie nodes of a botnetTR explains that Ms. Weidman’s program is one of the first known to turn smartphones into zombie nodes of a botnet. Her attack works like this: After infecting a phone with a rootkit, she uses that phone to send spam text messages, takes part in a denial-of-service, or degrade the communications of the phone—all without the user knowing. The techniques apply to any smartphone, Weidman says.

Today’s smartphones have multiple layers of defense. For one, they can block malicious applications. They also have managed channels, such as the Apple (AAPL) App Store and Google’s Android Marketplace, for applications.

botnet controlAs a result, Weidman says, infecting a smartphone is not easy. “The hurdle with any malware is infecting the phone,” she told Technology Review, noting that the methods used by cybercriminals usually do not work. “More of what you see of malware is people downloading applications for their phone that are infected,” she says.

The problem of cyber-criminals targeting consumers’ phones will only get worse Kevin Mahaffey, chief technology officer of mobile-security startup Lookout told the author. Because the control of phones is so easy to turn into cash via premium text messages, criminals will be drawn to attack the devices.

Lookout logo“I always tend to look at the economics of the problem to ask myself whether it will continue in the future,” the CTO explained. “And because there is an incentive for attackers to compromise mobile phones, and the cost of compromising is not that high, that says it will become more prevalent in the future.”

Using the telecommunications network, rather than the Internet, for botnet control allows attackers to hide their actions from users. When the attacker does it using malicious software, the user has little chance of detecting it, says Weidman.

smartphone botnet zombie“When I infected a phone in my botnet—my lab botnet—with malware, the smartphone would receive a message through SMS and I would check to see if it has botnet instructions in it,” she says. “If it does, it would perform the functionality requests, and then it would swallow the message, so the user does not know that there was a message at all.”

While phones do not have the computing power of more traditional computers, they are hefty enough to handle many of the tasks that cyber-criminals desire, she says. She adds that the sheer number of smartphones means that any botnet could be “a real threat” to create a smartphone zombie apocalypse.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| September 20, 2012
2 comments

Students – Insider Threat At K12 Schools

Students - Insider Threat At K12 SchoolsI have spoken to several tech people outside of K-12 lately. When the topic of information security comes around, they talk about how much they are focusing on the “growing insider threat” their employers face. I always smile because those of us in K12 have always faced a hostile internal threat, students. Here are a couple of examples of how students can be an insider threat at school.

student hackers changed gradesAt Colorado’s Jefferson County K12 Schools KUSA reports that administrators are investigating reports that student hackers got into Golden High School’s computer system and changed grades. Investigators are looking into whether students inside the school hacked the campus portal system. A student said, “People started giving themselves A’s.”

Golden High School students told the media that the hackers changed the grades for themselves and others just before winter break and the end of the first semester.

Administrators do not even know how many grades were changed. It could be low as 15 students or as high as 200. The district will not say if any students were caught or how many are suspected of hacking into the system.

do not even know how many grades were changedJefferson County Schools Superintendent Cindy Stevenson told local TV her staff is working hard to find out how it happened. When they do, she says security will be improved.

Berkeley High School

Prestigious Berkeley High School in Berkeley CA succumbed to the student insider threats. The media reports nearly three dozen students were suspended and face expulsion for hacking into the K12 school’s attendance system, an act that could lead to criminal prosecution according to SFGate. At least four students used an administrator’s stolen password to clear tardies and unexcused absences from the permanent records of 50 students, offering the service or the password for a price, Principal Pasquale Scuderi said.

The hackers erased from the system hundreds of cut classes and tardies from October through December, and charged classmates $2 to $20 for the illicit help, Scuderi told the SFGate.

Orange County K12 schools

student insider threatThe student insider threat struck K12 schools in Orange County, California. Omar Khan a former student of Tesoro High School, pled guilty to charges of having installed spyware on his high school’s computers and having used the collected passwords to get access to the grading system and change his grades according to CSO Online.

Khan and another student, Tanvir Singh were arrested for breaking into the school’s assistant principal’s office at night. Khan’s goal was to destroy the evidence that he cheated on a statistics test by stealing it.

Khan had faced a maximum of 38 years in prison on the felony burglary and public-record tampering charges is expected to be sentenced to 30 days in jail, 500 hours of community service, and ordered to pay about $15,000 in restitution.

years in prison on the felony public-record tampering chargesThe article says Khan admitted he was guilty of breaking into school offices and installing spyware on computers and then using the passwords to change some of his grades and that of 12 other students.

He also acknowledged that he changed his transcript grades to appeal rejection letters from the University of Southern California, the University of California, Berkeley, and the University of California, Los Angeles.

Nevada salutation

PC World reports that in Pahrump, Nevada, K12 schools Tyler Coyner, Pahrump Valley High School’s 2010 salutation with a 4.54-grade point average, was arrested as the ringleader in a group of 13 students who have been charged with conspiracy, theft, and computer intrusion. The article states that Coyner somehow obtained a password to the school’s grade system and, over the course of two semesters, offered to change grades in return for cash payments.

salutation arrested as the ringleader in a group of students charged with conspiracy and computer intrusion.According to PC World, ten juveniles have also been arrested for having profited from Coyner’s offer to bump up their grades. It turns out that Coyner, somewhat foolishly – chose to make himself the one that profited most from his scheme. In fact, the 4.54-grade point average that made him the school’s salutation is the result of his own grade manipulation.

rb-

Looks like Coyner is gotten a head start on his dream of becoming a Wall Street hedge fund trader by facing criminal charges as a student insider threat at school.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| September 18, 2012
Comments Off on Emma Watson Most Dangerous Online Celebrity

Emma Watson Most Dangerous Online Celebrity

Emma Watson Most Dangerous Online CelebrityComputer security company McAfee warns fans of “Harry Potter” star Emma Watson to be careful when searching for photos of the actress.  In the sixth annual Most Dangerous Celebrity study, the Intel (INTC) owned security technology company says there is a one-in-eight chance of landing on a malicious site if you Google Ms. Watson.

Emma Watson Most Dangerous Online CelebrityThe blog says that the 22-year-old actress is dangerous because many cyber-criminal sites use her name or photos to trick users into downloading malicious software or to steal personal information. “It goes without saying that we are a celebrity-obsessed culture. We hyper-focus on their lives, what they look like, what they’re doing,” Robert Siciliano, McAfee’s online security expert told the LA Times. “Currently Emma Watson is one of those people that criminals have determined is a good target, based on the demographics of those who pay attention to her.”

Mr. Siciliano said criminals know that they can dupe a teenage boy to click on a link that infects the family’s computer, potentially giving them access to, say, a parent’s tax files that contain social security numbers.

“It’s a really a brilliant scam — and it’s so simple,” McAfee’s Siciliano said. “Hackers set up the websites, they use … search engine optimization to get the websites high up in search [rankings]. And once they get them high up in search, lace it with links and downloads that are infected.”

Female stars dominate the list of celebs used to dupe the unsuspecting. Late-night talk show host Jimmy Kimmel was the only guy to make McAfee’s “most dangerous” list, weighing in at No. 13.

rb-

McAfee recommends these steps to protect yourself:

  • Stick to sites you know and trust. If you don’t recognize the URL, don’t click.
  • Avoid search results that look too good to be true.
  • Alluring keywords like “nude” or “sex tape” are especially risky. Keep it clean.

following these steps will protect you from malware spread by Emma Watson, the most dangerous celebrity online.

McAfee's Most Dangerous Online Celebrities

2012201120102009
Emma WatsonHeidi Klum Cameron DiazJessica Biel
Jessica Biel Cameron Diaz
Julia Roberts
Beyonce
Eva Mendes
Piers Morgan
Jessica Biel
Jennifer Aniston
Selena Gomez
Jessica Biel
Gisele Bundchen
Tom Brady
Halle Berry
Katherine Heigl
Brad Pitt
Jessica Simpson
Megan Fox Mila Kunis
Adriana Lima
Giselle Bundchen
Shakira
Anna Paquin
Jennifer Love Hewitt & Nicole Kidman
Miley Cyrus
Cameron DiazAdriana Lima
Tom Cruise
Meghan Fox & Angelina Jolie
Salma Hayek
Scarlett Johansson
Heidi Klum & Penelope Cruz
Ashley Tisdale
Sofia Vergara.Emma Stone, Brad Pitt & Rachel McAdamsAnna PaquinBrad Pitt
For the 6th year in a row, McAfee researched popular culture’s most famous people to reveal which ones are the riskiest to search for online

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
| September 15, 2012
One comment

IPv4 IPocalypse Strikes Europe

IPv4 IPocalypse Strikes EuropeThe IPocalypse has stuck in Europe. RIPE NCC, the Regional Internet Registry (RIR) for Europe, the Middle East, and parts of Central Asia announced on 09-14-12 that it is down to its last “/8” worth of IPv4 addresses. ArsTechnica reports it is no longer possible to get new IPv4 addresses in Europe, the former USSR, or the Middle East, with one small exception: every network operator that is a “RIPE member” or “local Internet registry” (LIR) can get one last block of 1024 IPv4 addresses. To fulfill these requests, the RIPE NCC is keeping that last /8, which has 16.8 million addresses, in reserve.

None of this comes as a surprise, according to the author, given that global IPv4 IPocalypse struck when the global pool of free IPv4 addresses dried up in February 2011. APNIC, which distributes IP addresses in the Asia-Pacific region, ran out of IPv4 addresses in May 2011. The remaining three Regional Internet Registries are AfriNIC (Africa), LACNIC (Latin America and the Caribbean), and ARIN (North America), which all have enough IPv4 addresses to last at least two more years.

Since the depletion of IPv4 address space in the APNIC region, little information has surfaced about how network operators in the region have managed the situation. The article states, the lack of IPv4 addresses only impacts organizations and consumers who need more addresses, or who need addresses for the first time. Existing IPv4 users remain unaffected by the global IPocalypse, and so the immediate impact is limited. Also, large network operators get large address blocks from the RIRs and they typically have a pool of unused addresses of their own, so few will be experiencing immediate problems.

Every year for the past five years, some 200 million new IPv4 addresses have been put into use. Ars cautions, without a steady supply of fresh addresses, many Internet-related activities are going to become problematic in the years to come. Fortunately, 20 years ago the Internet Engineering Task Force (IETF) foresaw the IPv4 IPocalypse, where the 3.7 billion 32-bit IPv4 addresses would run out, would become a problem, and started working on a replacement: IPv6. However, the IPv4 depletion didn’t happen as fast as the IETF originally predicted, and IPv6 adoption has languished.

rb-

So IPv6 adoption got a big kick in the implementation from World IPv6 Launch. Eventually, IPv6 will replace IPv4, but the transition won’t be pretty. I have covered some of the IPv6 issues here, here, and here. Give it some time, Europe and the rest of us will survive the IPv4 IPocalypse.

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
« Older Entries   Recent Entries »