ProSecurityNews

In this episode we discuss more smart phone threats, defeating facial recognition biometric login on laptops, how your Word documents can reveal your secrets, dumpster diving, and a change to our show schedule.

Show Links

Smartphone Threats Intensify – DarkReading

Security researchers crack laptop facial biometrics

Black Hat ® DC 2009 Briefings Archives

How Attackers Use Your Metadata Against You

ShmooCon 2009: Chris Paget’s RFID cloning talk – Hack a Day

SecurityDreamer Dumpster Diving

Your Face is NOT Your Password -  how they did it (PDF File)

//Jon

Click the link to read the entire show transcript.

Smartphone Threats Increase

We have commented several times about the security threats posed by smartphones, and a study was just released that adds more fuel to the fire.

In previous articles we have mentioned the hazards of cell phones in the workplace. Besides hindering productivity, they may be equipped with data gathering technologies that early James Bonds would have only dreamed of. They can record conversations both on and off the phone. They can take both still and motion pictures of your company secrets. They have access to your corporate VPN. And many can act as portable storage devices connected like a thumb drive to a USB port on a network computer. Armed with email and web access, your stolen data can be sent out of the building in record time.

According to a new report released by McAffee, the famous anti virus company, more than half of mobile device-makers said their products experienced malware, voice-, or text spam attacks last year. McAfee’s report, which is based on a survey of 30-plus mobile device manufacturers from around the world, found these vendors are getting hit with more malware attacks than ever before.

Experts have long warned that smartphones, such as Windows Mobile and iPhone handsets, could become the new weakest link in the enterprise, with more users relying on them for accessing corporate email, surfing the Web, and other applications.

Enterprise smartphones are starting to get hit with the types of security problems wireless LANs have been facing, industry experts say. Viruses — especially via Windows — can be carried from smartphones to the network, he says, which puts the entire infrastructure at risk.

So now we not only have to worry about what a smart phone can remove from your business, but also what it might inject in the form of malware or a virus.

Laptop Facial Recognition Cracked

You may be aware that many laptop computers have a small built in web cam just above the screen. They have been put to several interesting uses. One such use is sending you an email photograph of the guy who just stole your computer. Another recent use available on a few laptops is facial recognition. The first time I saw someone use this I thought it was kind of bizarre. I observed Lloyd pick up his laptop and bring it near his face to log in instead of using a password.

Anyway, researchers in Vietnam have cracked the facial recognition on many of these laptops and they demonstrated the technique a the Black Hat security convention in Washington DC this week. They cracked the systems built into Lenovo, Toshiba and Asus laptops.

Essentially the researchers were able to bypass the security systems by showing the camera a picture of the registered user, they were also able to gain entry by showing the camera pictures of other people’s faces, after manipulating light and shade settings.

The Link to the technical paper explaining the technique is on our website in the show notes.

So what can we learn from this? Probably that it is best to let new technology be tested by others before you adopt it.

META Data Used Against You

While we are talking about computer related threats, did you know that the mere act of attaching a Word Document or PowerPoint presentation to an email could reveal confidential data to the recipient?

The Dark Reading Blog explains how. Metadata is a powerful feature of many document and file types, including Microsoft Office documents, PDFs, JPGs, ZIP files, and multimedia formats. Depending on the application and the file, metadata might contain information such as author names, user names, version of the software used to create the file, the user’s operating system, and sometimes even the computer’s MAC address. Armed with this data, an attacker can develop exploits that might work not only on a specific file, but on all similar file types in an enterprise.

The report goes on to explain that metadata is also helpful in social engineering attacks. Knowing the five different authors of a document, an attacker can “drop names” via the phone to make his scheme seem more credible. Similarly, location information contained in photos could be mentioned, making the calls seem more legit.

Metadata can also help with physical theft. For example, users may post images to Flickr or Twitter from a phone that enables geo-tagging. This information can give attackers the location about a target’s home or business, and where he might be on a daily basis. Similarly, the MAC address of the system can indicate the type of hardware used, making it easier to identify mobile workers who are likely to have laptops that are kept in places where they might be easy to steal.

If you want to know more, see the link to this article in the show notes. The original article has a link to a white paper titled Document MetaData, The silent killer. The article also has a few real life examples of how meta data tripped up a pharmaceutical company who deleted damaging data from a research report, how former president Bush was taken to task about the original author of a speech about Iraq, and about how redacted information in released Pentagon document was easily revealed.

Electronic Combination Locks

Listener Dave in Virginia wrote in recently to remind us about the many benefits of electronic safe locks. Obvious benefits, but benefits that we need to remind ourselves of from time to time. Dave was primarily concerned that todays economic climate was causing businesses to be a little foolish with cost cutting.

For example, if a managers salary is tied to profitability of his organization, they it is only natural to cut cost wherever possible to increase profit and increase his bonus. The problem comes in when this cost cutting involves security procedures.

By way of example lets consider the case of a fast-food chain who found that managers were reluctant to change safe combinations. Despite a specific security policy about safe combination changes when user turnover occurred, some managers ignored the policy and did not make timely combination changes to save money and increase their bonus.

The solution to this problem was electronic safe combination locks that the manager could change. So instead of calling a locksmith and paying for a service call, the manager could, and would, change the combination upon employee turnover thus maintaining security.

The electronic locks also have other benefits over mechanical combination locks, which are roughly Civil War era technology. Mechanical combination locks must be dialed in a precise sequence and dialed accurately to open them. This can be time consuming and frustrating for the user. So much so that it is common that the safe will not be locked properly during the day. The dial might be turned just enough to lock the safe boltworks, but requiring only a quarter turn to open it again, without dialing the combination.

Electronic locks can help because a pin number is much easier and faster to enter to unlock the safe, and policies require that in a manager has to be in and out of a cash management safe many times per day. Combine the rapid ease of use with the ease of setting a new combination and you have a winner for the security department.

Electronic safe locks have 3 basic categories and price points.

1. At the low end, electronic safe locks provide basic PIN access and user-changeable PINs

2. The middle range locks offer multiple-user capabilities, programmable time delays and an electronic token combined with a pin for extra security

3. At the high end, the locks include time windows to restrict lock opening to business hours, audit trail capabilities and even dual custody. Some even have a ‘door left open’ alarm.

So what can we learn from this? The most significant reason electronic safe locks have become so popular is the user-changeable access code feature. By allowing users to quickly and easily change individual access codes, store personnel can maintain security policies while not impacting store profitability. Often, the cost savings associated with user-changeable access codes can justify the capital investment of an electronic safe lock within the first year of operation. If you want to know more about electronic safe locks, consider signing up for the Safe Lock Servicing class at Lockmasters Security Institute. Visit the website at lsieducation.com to learn more.

RFID Passport Cloning

In the last episode we spoke about Researcher Chris Paget who planned to release the details of his ‘drive by passport cloning system’ during the Shmoocon hacker convention held in Washington DC. You may recall he used components purchased on eBay for less than $250 to do some drive by discovery of RFID enabled devices. In a manner similar to Wardriving where a mobile laptop discovers insecure wifi network resources, the researcher equipped his vehicle to discover nearby RFID devices and capture the unique identifier code. During a 20 minute drive in downtown San Francisco he was able to copy the RFID tags of two passports without the knowledge of the passport holder.

Anyway, his talk is available as a video on the hackaday.com website of you are interested. There is a link in the show notes.

Dumpster Diving

Steve Hunt of the Security Dreamer blog has an interesting video blog post of the results of his recent dumpster diving score. He wanted to prove the point that the IT guys in a facility don’t have exclusive domain over “data protection”. It is not only an IT issue, the data sits on hardware, or in the trash next to the copier, or in the recycling bins, or in this case, outside in the dumpster. In only 3 minutes he found wire transfer information, copies of checks complete with social security numbers, and even a discarded laptop from the Chicago Board of Trade with the hard drive still inside! The video is well worth watching.

What can we learn from this. Once again, valuable data can leak out of a facility in all sorts of ways, and sometimes it is even thrown away in the trash. How does your facility handle potentially sensitive information? Do you have a document destruction service to deal with all the paper that gets thrown away? How about old computers? What is your security policy regarding the data on the hard drives?

Closing

In closing, I want to take this opportunity to announce a format change. We have decided to move to a biweekly podcast format so beginning in March we will produce Pro Security News every other week. Also, I will be away from the office for a while, so look for our next show on Monday, March 16. In the meantime, I will post interesting news items to the website at www.ProSecurityNews.com. You will get the same weekly automatic notification in your email letting you know about items I have posted.

If you have any questions about any of the topics discussed today, or if you have a technical question you need an answer for, send me an email at info at prosecurity news dot com. I will answer both via email, and on the show so others can learn.

This podcast has been brought to you by the Lockmasters Security Institute in Nicholasville Kentucky. For more than 50 years LSI has been the nation’s leading educational organization for technical and security education. Our students come from the federal government, US military, Fortune 500 companies, private industry and law enforcement. LSI offers 27 different classes covering security management practices, lock & safe technical skills, and law enforcement covert technical operations skills. Check the website at lsieducation.com for the 2009 schedule of classes.