Hackers and cyber criminals continue to get more sophisticated, especially when it comes to fooling people via less traditional attack vectors. For example, I got an interesting text on my work cell phone earlier this week …

“heyy liveurpic.com that’s what I was telling you you should join.”

The message came from a local Twin Cities telephone number that I didn’t recognize. So, being the suspicious type that I am, I “Googled” the phone number and found that the same number was spamming local numbers here in the Twin Cities and that there are several complaints about it already.

Taking this a step further, I fired up a clean VM with antivirus on it that goes through our Sophos WS1000 web security appliance and pulled up the URL in Google Chrome.  Sure enough, the site was blocked and classified as “High Risk” and that “Mal/HTMLGen-A” has been found on the site.

Sophos classifies malware by its behavior, and Mal/HTMLGen-A happens to be a very commonly used browser payload delivery mechanism that affects Windows, Mac OS X, and Linux.

After doing a little more digging, I found that the URL that was sent resolves to 46.102.246.15, which has some really interesting history to it. This particular IP range was in Volgograd, Russia back in 2010, and is now owned by a Romanian internet hosting company parked in Schiphol, Netherlands.

A few companies I’ve worked at in the past IP block Romania at the firewall since there is a high amount of fraud and scam traffic that originates from there, so it makes sense that they would host from another country to get around geo location-based IP blocking.

And finally, we arrive at the nature of the attack itself.

Cell based text messaging. Both my phones run a variant of Linux, one being Apple iOS (work cell) and the other Android (personal cell). If an attack is highly sophisticated, it will include some sort of detection routine so it knows which payload to push onto the phone such as iOS JailBreak code or Android rooting scripts/programs – something that will allow the attacker to access your dialer without you knowing about it to make premium calls or text messages. Sure, you’ll figure it out once you get your next phone bill, but by then it’ll be too late.

If the attack is low-tech, then it may be as simple as trying to get you to share you URLs (like Chrome does) with a far more vulnerable Windows OS and use some canned Blackhole Exploit Kit scripts that were purchased to farm some bank info.

I’d love to take the time to pull the payload code apart to see what it’s trying to do, but from the poor English used in the text message itself, I’m betting its low tech.  If the attacker can’t be bothered to try to make the message look legit, you can more than likely bet they bought their malware off the shelf.

Moral of the story: your cellphone is as at as much risk as your computer. Be wary, be vigilant.

Last week, I got my copy of All Yesterdays (not the used Amazon versions, as the pricing algorithm is failing hilariously). I’ve been a fan of Darren Naish’s work since I discovered Tet Zoo years ago. It turns out that in addition to writing amazing articles on the cladistics of extinct crocodilians, he is also good at writing about paleo art.

You might think that paleo art is art done by prehistoric people, but no. In this case, it is art done to provide imaginative reconstructions of life from fossils. I imagine that most people these days are aware of the belief that many of the two-legged dinosaurs were feathered. However, as it often turns out, things are more complex than that. This book explores the history of dinosaur art and, along the way, draws on what we know about natural history, camouflage and mating habits of contemporary species.

So why am I posting this review on a blog that is (more or less) focused on information security?

Well, in addition to this book being about pretty pictures of dinosaurs, it is also about an industry working over time to make guesses about the truth, analyze their mistakes in the face of new evidence and, through a constant stream of screw ups, come closer and closer to consensus. As they’ve done this, everyone has had to constantly adjust to the shifting truth.

In effect, it is a book about evolution … the evolution of species … the evolution of understanding … and the evolution of the understanding of evolution, so to speak. This happens in all industries, but the younger the industry is, it seems, the less we like to acknowledge that we don’t have all the answers. In Information Security, we don’t like to be wrong and we particularly don’t like to be wrong in front of other people. This is understandable, as when we make a mistake in security, people could get hurt. However, when we don’t get a chance to discuss our mistakes as a community, we don’t get a chance to improve.

Today, there is some discussion in the community, but mostly within closed mailing lists and at conferences. Unlike in the realm of paleo art, our mistakes tend not to be public, so there are fewer eyes on them and fewer opportunities to get better. Fortunately, there are more hackers than professionals who draw dinosaurs, so we do get an advantage of numbers. Still, there is ample room for improvement.

This book explores the problems that arise from:

• Taking a superficial view of evidence
• Not comparing logical conclusions to examples of modern data
• Avoiding analysis and basing beliefs on the misguided work of others
• Looking strictly at hard evidence and ignoring behavior
• Hyper-focusing on dramatic scenarios

Sound familiar?

A big joke in the cellphone industry was the excuse Apple gave for the “antennagate” issue upon introduction of the iPhone 4: “you’re holding it wrong.”  Funny enough, holding it wrong may be the way to go in the future.

You’ve probably seen published lists of the most commonly used PIN numbers, including such creative numerology as 1111 or 5683 (spells out LOVE). Security experts look at those lists and shake our heads wondering what people were thinking when they hit “1” four times and thought their phone was secure.

Of course, at least they’re using a PIN of some sort in an effort to protect their phone. Even if the PIN is considered “weak,” the stark reality is most people don’t use one simply because PIN codes are inconvenient and take time to enter. In fact, most people don’t use any means of data protection at all.

Thank goodness you’re not one of those PIN-less cellphone users, right?

Well, what if I told you your PIN, no matter how cleverly created, is now trivial to hack?  And that nifty complicated thumb sliding lock pattern you came up with that would require the hacker to be double-jointed to pull off?  Even easier.

There’s a new PIN and lock pattern proof-of-concept hack from Dr. Adam Aviv and his team of researchers at the University of Pennsylvania that uses the accelerometer in your phone to detect how it moves in space specifically during the unlock process.  As you move your thumb to hit the PIN numbers or trace the unlock pattern, this hack track the accelerometer data and matches it against its database of known patterns. They’ve been working on this attack vector for a few years now. Their previous approach utilized the gyroscopic sensors which lead to very imprecise measurements, but this new approach uses the accelerometer sensor in a “high bandwidth” mode and the results are pretty spectacular. In controlled settings with the subject seated they were able to guess the PIN number used 43% of the time and the unlock pattern 73% of the time.  When the subject was walking, the accuracy dropped greatly due to the additional movement noise introduced to the sensors that resulted in only 20% of PINs and 40% of patterns guessed.  They also mention the possibility of utilizing machine learning to determine text-based passwords as well, but mention no collected data against it.

I suspect long key presses for alternate characters may be difficult to decipher from the accelerometer data, but they do briefly mention key permutations (each key having multiple values from long presses), which increases the number of guesses required to get a four number PIN combination. If one were to use a very complicated password or random characters you could make it highly unlikely to guess your password using this method. Of course, you would also be spending the bulk of your time on your Smartphone entering an unlock password.

Another possible solution is to change the orientation of your phone (i.e. holding it wrong). Since Dr. Aviv’s team is only reading the accelerometer values and not the gyroscope values, which track pitch and roll of your phone, one could throw their data off. If they accounted for this circumstance and polled the gyroscope to determine orientation values while polling the accelerometer, the data sets would be much more complex as a result.

So clearly the best response to this type of attack method is to boogie down, run, jump, etc. while unlocking your phone. Personally, I’m working on some sick dubstep and James Brown moves to go along with my android unlock pattern that should make it near unreadable.

There have been two stories in the media lately and one event on a private mailing list that have me thinking.  First, the stories.

1) Former NFL Quarterback, Jon Kitna, has become a high school teacher. He did this as a way to give back to the community.  However, the most important part of the story is how he is giving back. This is a story about someone trying to change his community by teaching children that their actions have consequences, even if those consequences result in the entire team losing.

2) A Canadian computer science student by the name of Ahmed Al-Khabaz was expelled from Dawson College for running hacking tools against a system that contained data for numerous students. He found a flaw, reported the flaw, but because he did not have permission to run the test, he was kicked out. He has since been offered opportunities with firms and other schools.

3) On my private mailing list, a friend expressed concern over an issue in which one of his students sent a PDF of a book to the entire computer security class. This book was a copyrighted work by someone else that we both know. This was clearly illegal and, by most standards in the security community, unethical.

So, what do all of these stories have in common? Fundamentally, they’re about young people making mistakes. What might be hard to see, though, is that they’re also about adults making mistakes. We tend, in the Security and Legal communities to see the world in black and white. Dawson College expelled Ahmed Al-Khabaz because, in their view, he was “no longer suited to the profession.”  There was discussion about expulsion in the private story as well, because of similar concerns. In other words, we have colleges taking a hard line on students that screw up and are kicking them out.

The problem, though, is that one of the best ways to learn is by making mistakes. Many of the best people we have in IT Security have checkered pasts. Many of the worst people we have in IT Security also have checkered pasts.  While my own past is cleaner than most, I did cross the line a few times in school and got a talking to. I quickly learned both what to do and what not to do, but more importantly, how to do.

Actions must have consequences. Without pain, we do not learn. However, if those consequences are too severe, we don’t learn either. We give up.

If we look at these issues as a society, we have people working defense who are trying things and, if they try the wrong thing with the wrong person, they’re kicked out. We also have people working as attackers. These are well-paid individuals (due to the high risks involved) and are often highly skilled because they are not hampered by people trying to get them expelled or fired for experimentation. In fact, the more we take a hard line approach to these sorts of issues, the more likely we are to identify our best learners (the young people who make mistakes) and drive them to unethical and illegal activities, as we close the door to legitimate work in their face.

In a world where the attackers are massively out-competing the defenders, I have to ask whether this is wise.

Instead, consider Jon Kitna’s story. He’s adopted hard line rules for his football players. If they screw up, they’re out … but not completely … just a game or part of a game. They’re not off the team, they’re not kicked out of the community. This still means a mistake is punished, but done so in a way where people learn from it. Those who made the mistake get the most punishment. Those who supported the mistake while it was being made get a lesser punishment, and all of them serve as examples to keep everyone else where they need to be.

As people, we learn and grow over time. Of these three stories, which supports growth?  Of these three stories, which people would you rather work with as adults?  Who would you hire?

I know, for me, I’d take the under-educated, low-income kids over the college students any time.  Why?  It’s about community. Lincoln High School is making better adults than Dawson College is. The graduates from Jon Kitna’s football team might not be the best educated kids. They might need a lot of hand holding and training to make it in the real world, but they’ll have character. If I’m working a security problem with someone, I need someone I can trust. That means I need someone who has been raised to be trustworthy. Improvement is iterative and if you’re not given the ability to learn and grow from your mistakes, you’re just going to wind up making the same errors over and over again. As a security person, a professional and, really, just as an adult, I need people who have made mistakes, owned up to them and, where possible, fixed them. I need learners and I need people who can see the shades of grey in the world. I suspect that you do too.

It’s that time again.

Whenever a major media event happens (like Hurricane Sandy), we are inundated with news. Sometimes that news is useful, but often it merely exists to create FUD… Fear, Uncertainty and Doubt. While I have not personally seen any malware campaigns capitalizing on the event yet, it is inevitable. The pattern is generally as follows:

1. Event hits the news as media outlets try to one-up eachother to get the word out.
2. People spread the warnings, making them just a little bit worse each time they are copied.
3. Other people create hoaxes to ride the wave of popularity.
4. Still other people create custom hoaxes to exploit the disaster financially.

A few minutes ago, at least in my little corner of the internet, we hit stage 3 when this image was posted:

( From here. )

Now, as someone who plays with photography, I was a bit suspicious, but as a security person, I can actually prove some things here.

The first tool I want to discuss is FotoForensics. Check out their analysis.

See how the statue of liberty and land on which she stands is much brighter than the background? That indicates that that image has been pasted on top of the other, so we know it’s fake.

Sometimes, though, this trick doesn’t work. If someone is making a good hoax, they can change the error levels to prevent easy detection. That’s where our next tool comes in. TinEye is awesome.

Look what happens when I do a reverse image search on the suspicious file here. (TinEye results expire after 72 hours, so if you’re slow to read this, just past the URL of the photo into their search box.)

TinEye, by default, is going to try to find the best match. But that’s not what we want. We want the original. Luckily, when people make hoaxes, they usually shrink the image to make it harder to find the signatures of a hoax. So we just click to sort by size and there we have what it likely the original:

ETA: Original can be found in this set by Mike Hollingshead.

Then it lists a bunch of sites that have stolen this image to use without credit. (That’s a different post.) You can then click on the “Compare” link for the likely original and see what they did. By flipping between the versions, you can see that they added the Statue of Liberty, the water and the boat. They also shrunk the image and made it darker… because darker is scarier, apparently.

The important thing to realize here is that the attacker is trying to manipulate you. By spreading fear, they are making you more susceptible to future attacks. By taking advantage of your uncertainty and doubt, they put you in a position where you will do unwise things to gain an element of certainty in your life. Does this matter that much in an image hoax? Probably not. But it does matter when you start getting fraudulent emails convincing you to “click here” to help victims of the hurricane.

Uncertainty and doubt can work against you, but it can also work for you. When the attacks come … likely in a few hours, approach them with suspicion. If you’re in the path of the storm, trust the names you recognize, like Google and The National Weather Service. If you’re not in the path of the storm and want to send aid, go with The Red Cross. If anyone else you don’t know asks for your money or your clicks, ask yourself what they have to gain.