Hardware & InfoSec

Securing the Security Devices

OK, so you’ve bought the glow-in-the-dark, meets all the compliance requirements and looks really shiny “security solution” from a vendor (one or many).

Or maybe your management has bought it and presented it to you as a fait accompli. (Hope I’m spelling that fancy French right!) And of course either you have to manage it (without training, “that’s too expensive, just watch the consultants put it in”), or it’s been “outsourced.”

Or as an auditor, you’ve been told to use it for all auditing functions, and not worry about doing any follow up or periodic testing because this product is such a “time-saver.”

So, how do you know (my favorite question) it’s working and doing a good job? Not what the fancy report it produces says, not what the consultant says, not what the manual says, not what the boss says. What you can actually see.

I’ve been following a discussion on the Security Focus “pen-test” mailing list about how security software has just as many issues as regular software. I don’t like thinking that the software protecting me and writing to a SQL database is using an unencrypted ODBC connection that can be captured by ARP poisoning.

So, although I am rarely asked to audit or test a firewall, IDS or host IDS, having run and learned on all of them, I have some suggestions for you to try out.

NEXT: How to Audit Your IDS/Firewall/ECM for free.

More on ATMs - The Daily Store Owner Log

Did you know that a store that puts in an ATM for customer use also provides a daily log of transactions to the owner? The log includes the Bank name, last four numbers of the account, the customer name, and the transaction.

So if I do an account balance request, that comes up in the log. The amount in my account comes up in the log.

The log includes all transactions done on that machine, so everyone’s name, Bank name, how much they have, how much they took out, etc, is all there on the log.

I was chatting with an acquaintance who owns a store in Maine, and she pretty much knows everyone who comes in her store. When she had an ATM put in, after numerous customer requests, she began getting those daily reports (probably because she gets a percentage of transactions). She was embarrassed at how much information she could see about people she knows. I would be, too.

Where does this report get stored? Who has access to the reports? The manager? The clerks?

Here’s an acronym I really like: TMI (TOO MUCH INFORMATION)

Why does a store owner need that much information? I’ll try and find out.

More on Cell Phone (IN)Security

I’m having very mixed feelings, I must say, on what I’ve been reading about accessing information from cell phones. On the one hand, in my line of work, which occasionally includes forensics, I’m pleased to see new tools come out that make my job that much easier. The Cell Seizure Investigator “stick” from Paraben for under $500 is a great new piece of equipment for pulling all information off of a corporate cell phone.

On the other hand, knowing that there is a quick tool to pull all the data off my phone in five minutes or so doesn’t give me warm feelings inside. Given that there isn’t really a secure delete function that is available, anything that is on my phone could be recovered in the same way we can recover deleted data from a hard drive. When will we have the ability to encrypt the storage on these things?

I have seen some early reports of cell phones that use biometric identification, but none that appear to be here in the USA.

I have run across a free tool for deleting data on your cell phone by recellular.com that offers some software based on model of phone. Not all models are covered, and I haven’t had a chance to test it out. If you do, please let me know your results.

In the meantime, review what is on your cell phone, and keep it to a minimum!

Physical Security Part II

The most secure Data Centers I’ve seen utilize electronic access cards of some type that have a good reporting mechanism, right down to which door. Of course, these systems don’t do you a bit of good if no one looks at the logs, but that seems to be the exception, rather than the rule. Thank goodness!

I’ve seen some systems that you must swipe in order to exit, as well as enter. This seems a smart way to make sure employees and cards are being utilized properly. Also, doors should alarm if they are propped open or not quite secured. Depends on how much you value your data, doesn’t it?

Camera systems can be a very good alternative to swipe cards, but ONLY if you have sufficient coverage of the area you’re trying to secure. I tested a system that could see me going up the steps to the Data Center, but didn’t capture me until I was two feet from the door. If I scuttled sideways to the right, it missed me entirely! We adjusted that camera together.
Does your system overlap all areas inside the Data Center? Can you track where someone goes throughout the area?

Finally, is your camera system secured away from the Data Center? Make sure only specific people have access, and make sure the captures are stored securely. How long should you keep them? I’d say a year, which would give you a good period of time to track back possible miscreants. But it really depends on your storage space. If you can use WORM (Write Once, Read Many) storage, even better.

Ultimately, it does come down to your employees. I can’t tell you how many times I’ve slid in the door behind someone holding an armful of books and thanking them for holding the door. If someone strange is sitting in the conference room, it could be me hacking your network. Just ’cause I’m a lady dressed in a really nice business suit doesn’t mean a thing.

How are you disposing of your physical computer equipment? Never underestimate the ability of people to be lazy and just “toss” stuff. Find a way to securely wipe your data OR transfer the risk by hiring someone that will give you a certified receipt that THEY have destroyed it for you. Expensive? Probably? More expensive? Getting your company’s name in the paper.

ATMs with Bugs - At the Grocery Store

From the Wall Street Journal comes the disturbing news that a high-tech wireless “bug” has been found in hundreds of grocery store ATMs in five different European countries. According to WSJ:

Examining the store’s credit-card readers, investigators discovered a high-tech bug tucked behind the motherboard. It was small card containing wireless communication technology.

The bug reads an individual’s card number and the corresponding personal identification number, then packages and stores the data. The device would once a day call a number in Lahore to upload the data to servers there and obtain instructions on what to steal next.

The easiest way police have been finding these things is to weigh the ATM, although the bug (a card, actually, and I think has to be plugged into the motherboard) only weighs about 4 ounces. How many more will they find? Now that ATM fraudsters can go “upscale” to a wireless bug instead of a clumsy card skimmer, theft becomes even easier. These bugs are big enough to be programmable, so that they could only collect information from Platinum level cards, for instance, instead of my Uncle Bert’s VISA card.

Although the article does not address debit cards, I would have to wonder what the impact was on those? Did they escape due to the lack of PIN capture? Possibly.

The first solution I would think of would be to lock down the phone line so that it ONLY can dial home (and not to Lahore to deliver its’ payload). Not only that, log and report any attempts to dial elsewhere.

This is a VERY sophisticated attack, and appears to be widespread. Early estimates indicate a theft between 50 to 100 million dollars.

Just who has had access to the inside of those machines, that were built in China? How are they secured? The report mentions that the bug is “attached behind to the motherboard.” Somebody has some inside knowledge of this equipment and has used that knowledge to quite an effect.

Thieves keep getting smarter.

ATMs Redux - Why I Don’t Use My Debit Card

In a previous post about Automatic Theft Machines I commented on the worrisome rise in skimming with these machines.

Now, to add to our pain, we should be concerned about gas station pumps, according to NBC. Take a look at the picture of the device - makes me wonder how they set it up without inside help.

The article goes on to discuss the rising crime rate from debit card theft. Once these folks pluck your card number and PIN, they can clean out your bank account in no time flat. Unlike credit card fraud, where the bank removes your liability after $50, people are reporting a struggle to get their bank accounts credited after all the cash has been extracted.

So, let’s see, ATMs, airline check-in machines, and now gas pumps.

I’d decided after the Hannaford breach that we would no longer use our debit card unless standing inside the bank. And even that is not risk free from skimming.

Hardware? What Hardware?

I came across a recent post from the Breach Blog reporting that a U.S. Naval Laboratory employee - the computer administrator - had stolen 19,709 pieces of computer equipment, worth up to $1.6 million.

Did no one see this guy carting hardware out the door? I’m not talking about the small stuff, I’m talking about the more than 100 personal computers. Doesn’t a Naval laboratory have cameras on the exits, and guards? I know it’s easy to have hindsight vision, but this seems like it should have tripped somebody’s awareness alarm.

We can also extrapolate that there was no inventory control of hardware, AND no financial oversight of hardware costs. This happened over the course of ten years, so maybe he was able to slide it in under the radar.

What about the information ON the hardware? The Navy says only 14 people were affected. Given the evidence of their controls so far, I’m not sure I have a high level of confidence. They had to go through hard drives, CDs, Zip drives and all those computers. I hope they did.

How was this discovered? He and his wife are divorcing, she filed a protection request, and told his bosses she wanted his “work stuff” out of the house. He had so much stuff, he was storing some of the equipment at a neighbor’s house.

Do You know Where Your Previous Mobile Phone Is?

Cell phone companies are tempting us more and more with phones that act as PDAs (Personal Data Accessory??), send and receive email, surf the Web, have bigger capacity to store documents, are music players, cameras and oh, by the way: a phone. And in the coming years some have proposed utilizing your phone to pay bills and buy stocks.

It’s wonderful and terrible all at the same time. There is no standard procedure for wiping a phone’s information. Phone manufacturers have proprietary hardware, and have been extremely reluctant to release information to software developers who could provide us with a way to wipe the phone and its’ memory. As a result, we have millions of phones available with sensitive data, on an open market. Thank you manufacturers, for protecting the consumer? As usual, no one really thought about security, not to mention privacy.

Three years ago, Graham Clements - A managing director for a subsidiary of Japanese packaging multinational Ishida - decided to get rid of his BlackBerry and turned it in to his IT department for recycling. At the start of this month that BlackBerry was one of the top items on the agenda at the first board meeting that Clements had called since his return from vacation - because the data on it had come back to haunt him.

Instead of being recycled, the BlackBerry, like millions of other mobile devices every year, had been passed on to a company to be sold. On Clements’s device were business plans, details of customer relationships, information on the structure of the company, details of his bank accounts and details about his children. Ouch.

Fortunately, that BlackBerry was among several that were recovered from mobile phone recycling companies as part of a study into data loss on mobile devices. It’s a significant issue that many companies have not addressed.In a 2006 survey by the Business Performance Management Forum (BPMF), nearly half the respondents reported that at least 25 percent of all mobile devices in their organizations carry mission-critical information and applications.

Imagine having a computer that you could never wipe clean of any of your confidential business activities. Instead of recycling, we can only destroy the items. Mobile device security software commonly available can secure the device, but cannot wipe it. If anyone knows of a good wipe program, please drop me an email.

Some folks leave their SIM cards in the phone they return to corporate headquarters, along with their messages and documents. Taken any pictures on that phone you wish you hadn’t? That office Christmas party where your senior manager got drunk and acted up? They’re probably still there.

I’ve just thought of a new Rule of Thumb: There’s no such thing as DELETE on a cell phone/PDA/camera. We must act accordingly until assurance can be confirmed about wiping these devices. If it cannot be wiped, it must be destroyed, which is not exactly “green” in any corporate environment.

My old one (a Palm) is in my desk drawer, kept for parts because my spouse is still using a Palm. Where’s yours? What was on it?

ATMs - Automated Theft Machines

It’s absolutely fascinating (in a nerve-wracking sort of way) to read about how many different ways there are to use ATMs to capture (and steal) accounts and PIN numbers. From there, it takes very little time to create a fraudulent card and spend what you can before the bank catches up. It’s a triumph of hardware over software. Thieves simply work around the software controls to capture the information they want.

For example, the concept of “skimming.” Typically, thieves attach a device to the outside of the ATM that records the magnetic stripe information as you insert it. They also need a camera of some sort to capture the PIN as you type it in. For a classic example, with pictures you can see that the card skimmer fits in front of the regular card slot. For PINs, the clever placement of a pinhole wireless camera makes it all way too easy.

Thieves tend to get endlessly creative: One fellow bought his own ATM equipment and kept moving it around from place to place in order to capture information. He was good enough at it to collect at least $4 million, and is still at large.

More losses come from retail ATMs (those found in supermarkets, convenience stores, gas stations, or other non-banking environments) where there are less stringent controls and only casual observers. In May of this year, the ATM at one gas station was rigged, with at least 80 victims. When he was finally apprended, he had stolen more than $185,000. Ouch.

There are about 360,000 ATMs in the United States, according to Bankrate.com Only half of them are at a bank.

The ATM designers are moving to internal card readers and other techniques to eliminate external skimming devices, but when you can buy your own ATM and move it around, controls on sales of such machines must be tightened.

Rule of Thumb: If I don’t go to the bank for gas, I won’t go to the gas station for money.

Hack My Coffee - Please

From Craig Wright comes this riveting post:

I have a Jura F90 Coffee maker with the Jura Internet Connection Kit. The idea is to:

Craig goes on to reverse engineer the software, with predictable results: Coding with no security. The details are painful.

The connectivity kit for the coffee machine installs software that uses the connectivity of the PC it is running on to connect the coffee machine to the Internet. This allows a remote coffee machine “engineer” to diagnose any problems and to remotely do a preliminary coffee service. Be still my heart - a remote coffee machine ENGINEER. (A NEW acronym:RCME)

It seems the software allows the “RCME” (can you say “attacker?”) to gain access to the Windows system it is running on at the level of the user. For most of us, that would be administrator.

Compromise by Coffee. Whoo HOO. Can’t wait to see this come up in an audit.

And you can buy it for only $1798.00 at Amazon.

What’s surprising is that this thing has been on the market since September 2006, and it seems to have just now hit the press.

And Jura’s response?

“Jura is well aware of these articles which it clearly qualifies as misinformation. “ So Jura says security researchers are wrong. A coffee maker company knows best! OOOKay.

“The internet Connectivity Kit which can optionally be acquired for only one device (IMPRESSA F90/F9) And this makes insecure software better how?

will at no times connect the coffee machine to the world wide web. Except the software allows a remote coffee machine ENGINEER to access the machine from the web. OOOKay, again, this is secure how?

“Its settings can therefore only be changed by the machine’s rightful owner.” And if a remote coffee machine ENGINEER is allowed to run diagnostics on the machine - is this statement accurate? What else can the remote coffee machine ENGINEER do while he/she is running those diagnostics?

I’m feeling a caffeine buzz already. Is this a high risk vulnerability? No. Is it a good idea? NO.