Monday, December 15, 2008

McCain Campaign BlackBerry Sold Full Of Confidential Contact Data

Washington D.C.'s Fox 5 news bought a used BlackBerry from the McCain campaign as they shut down. The contents were surprising:

"When we charged them up in the newsroom, we found one of the $20 Blackberry phones contained more than 50 phone numbers for people connected with the McCain-Palin campaign, as well as hundreds of emails from early September until a few days after election night. "
Laptops were also sold, although no word has come out about remnant data on them. This once again points to the importance of wiping devices or destroying them. While destruction results in no residual benefit to the original owner, it can prevent data loss, which may save more money than the small gains from re-sale. In this case, a $20 selling point for the BlackBerries is likely far outweighed by the negative publicity and anger of those whose contact information was exposed.

How difficult is it to wipe a BlackBerry? In many cases, it is incredibly easy. For BlackBerries that have security set up, simply typing in the wrong password enough times will wipe them. Others, such as the 8800 series, have a simple wipe process:
  1. Go to Options
  2. Select Security Options
  3. Select General Settings
  4. Click the Menu key
  5. Select Wipe Handheld
  6. Click Continue
  7. Type in the word blackberry

Thursday, December 11, 2008

Cell Phone Jammers As A Skimming Control

Lets Japan points out that a Japanese bank has begun to deploy cellphone jammers near their ATMs to prevent skimming attempts that are increasingly using SMS messages from a cellular phone equipped reader device to phone home.

According to Lets Japan, "Chiba Bank installed phone signal-jamming devices at 4 unmanned ATMs at bank branches in the Tokyo metropolitan area Dec. 10. It is the first use of the device in a financial institution in Japan."

This isn't likely to occur legitimately in the US due to the Communications Act - the FCC rule can be seen here, and notes that, "Fines for a first offense can range as high as $11,000 for each violation or imprisonment for up to one year, and the device used may also be seized and forfeited to the U.S. government."

Monday, December 8, 2008

I thawte this was interesting...

The Daily WTF has a post of failure from last Friday regarding Thawte's Personal Email Certificates website regarding the leakage of other users' personal security questions:

It didn’t take Eric too long to realize what was happening. For some bizarre reason, Thawte was completing his questions by using other user’s questions. When he typed in simply What was, it shot back What was Seti 1...

I was able to verify the behavior my self. I typed "When was" in the question box and was greeted with the response: "When was "M" born". I typed "do you" and got "do you live alone". Granted, you don't get answers to questions, nor are they tied to particular users. However, its hard to argue that it's not a leak of useful data that could be used to attack other users of the site.

From a design perspective, I can't possibly imagine why any users' questions would have any impact on other users' questions (although I could probably conjure up a couple of explanations for the behavior).

So, what happens when you can't trust the Web of Trust?

Sunday, December 7, 2008

CheckFree's DNS Compromise - DNS In A Dangerous World

CheckFree, a major Internet bill payment site recently acquired by Fiserv had their customer sign in page DNS modified on Tuesday, resulting in users being redirected to a Ukranian malware site that attempted to infect users with a password theft trojan.

According to Brian Krebs' article about the incident, the root of the compromise was a DNS re-direct -

"It appears hackers were able to hijack the company's Web sites by stealing the user name and password needed to make account changes at the Web site of Network Solutions, CheckFree's domain registrar. Susan Wade, a spokeswoman for the Herndon, Va., based registrar, said that at around 12:30 a.m. Dec. 2, someone logged in using the company's credentials and changed the address of CheckFree's authoritative domain name system (DNS) servers to point CheckFree site visitors to the Internet address in the Ukraine."
This of course indicates that a trusted users's credentials were phished. Interesting, according to Krebs, as many as 71 other sites were also re-directed, making this a reasonably large attack, and likely one that foreshadows a trend that we will see this year. With site security becoming greater, and more time spent on front facing web application security, phishing and compromise of DNS and hosting platforms is becoming more attractive.

Sadly, it took until today for CheckFree to notify customers in any detail via email, and CheckFree's customer email notes that the following conditions that might mean that users of their site were infected, but does not provide detailed information or a link for detail about the malware. Customers might be affected if:
  • You attempted to access online bill payment between 12:30 a.m. and 10:10 a.m. Eastern time (GMT -5) on Tuesday, December 2, 2008, and
  • You were using a computer with the Windows operating system, and
  • You reached a blank screen rather than the usual bill payment screen when you attempted to navigate to online bill payment, and
  • After reaching the blank screen, your computer's virus protection program did not tell you via pop-up or other messaging that malicious software was detected and quarantined.
CheckFree offers further help, with a direct 1-800 number for those affected as well as the promise that "We will also offer you both advice and free services that can help you mitigate any risk you may face as a result of this incident or other everyday exposures you may encounter.".

For now, users who were affected will need to clean their systems, reset passwords, and to make sure that they are using better browser and system security to help prevent future compromises.

Wednesday, December 3, 2008

Spoofing Face Recognition Software

Gizmodo via CNET's Crave has an interesting overview of BKIS's face recognition software exploits. As described, they modify a relatively low resolution image of a person from Facebook or another site with pictures available. A tweaking process creates an image that is highly compatible with the face recognition software, allowing a malicious third party to log in to that user's system.