We’re going to start off the new year with some of the biggest stories happening in security right now. The first one is the Target breach, which technically happened last year but, with more information coming to light (such as more records have been compromised and that malware was involved), I wanted to pass along a link that goes into more depth about how the malware works:
The interesting thing is that the malware is taking advantage of a software weakness, Information Leakage. The Track 1 and Track 2 data is being left behind in RAM so that it can be successfully gathered by the malware. It doesn’t really matter whether it happens on the terminal where you, as an unsuspecting human, interact or on the back end. If that information is available, someone will write code to extract it in the most effective manner. In Target’s case, it looks like working on the back end seemed the most effective method (and, in my personal opinion, there may have been a little inside help :) ).
Scrapers like the one used for this attack have been around for a long time and I’ve personally written my own when testing POS systems, so this is nothing new. It just happens that this case is very high profile. Hopefully Target addresses the software aspects as well as the operations problems, otherwise they’ll still be a target!
Google + Nest
So, Google acquired Nest. I don’t know about you but are you as tired of this as I am? Whatever your take, why is this such a big deal? The biggest thing is that this is the “signal” that the industry has shifted to the “connected home”, which we all knew was coming but paid very little attention to because, I mean, who wants an internet-enabled washing machine?
Well, get used to the new new thing because it is here. This not only applies to home appliances but to wearables, cars and everything else (a.k.a IoT, the Internet of Things). Regardless of what your opinion is on what should and shouldn’t be connected to the internet, it is here and it’s not going away. The good thing for us security and static code analysis types, is that nobody is making their stuff secure. All that connected code (and a lot of it will be new code) will be just as vulnerable as the stuff we see today. I wonder if anyone from Google did a security audit on the Nest thermostat before buying the company?
My recommendation is to use your imagination and see if you can guess what will be the next things in your life to be connected to the internet. Or uses the internet to connect people to things, like the DoorBot that can integrate with the Lockitron. It looks like we’re moving past this phase or paradigm and into the next one. We’re moving from the web as we know it, one where we used a browser to get our fix to a place where we use custom apps and interfaces to grab our fix and we’ll be competing with the machines :).
Here’s an interesting article that might apply: The PC’s Death Might Also Mean the Web’s Demise (Wired).
CES: Las Vegas
While I was in Vegas for the Consumer Electronics Show, I happened to pick up a Force bracelet from FitBit. It’s a wearable and is indicative of where the high tech industry is headed, which is “Computing Everywhere, All the Time!” The Force is a great product and works as expected with very little fiddling to keep it running. However, it is now possible to know when I’m sleeping and when I’m active and a bunch of other things that can be inferred if you have access to my FitBit account information. It makes me wonder, how secure is the FitBit server? So, I took a look at their website and noticed they have an opening for a “Security Engineer” that seems responsible for a lot of stuff but mainly from an operations POV. The dev positions, however, never mention security.
I think this will be a typical scenario for all the new up and coming technology plays, like wearables and IoT type products and companies. They’ll need our help in securing their products.
Here’s an article on how insecure banking apps really are: Personal banking apps leak info through phone (IOActive Labs Research)
Is your account compromised? This site was built by Troy Hunt, a well-known security researcher from down under with an excellent reputation: https://haveibeenpwned.com/
This is funny, even hackers don’t always have good security practices as the SEA itself was hacked: Syrian Electronic Army’s own website got hacked by Turkish hacker (The Hacker News)
And for fun, as seen on Slashdot: Source Code in TV and Films