Trends in Trust on the internet of Things
We are all happy with how technology is making our lives easier and fulfilling. Most of the internet population is however not aware that the moment you turn on a device connected to internet or intranet, possibly thousands of lines of code are sent out per second in the background.
With the continuing trend of the internet of things, we are now facing the problem of trust. Public and private data in our current world has enabled the co-use of this information by good as well as nefarious agents.
Can you imagine someone using a everyday device (smartphone, wifi router, ipad) that can sink its teeth into the Internet traffic from your home computer and smartphone. This device is silently gobbling up every morsel of data and spitting it surreptitiously out of your home network for later analysis. Could a passive observer of Internet traffic still learn much about a target? This is reality!
The moment a wifi sniffer is connected to your home network and you turn on your device, data is being poured into the sniffer’s server. It's just thousands and thousands of pages of stuff without you having to open any apps. On your phone, apps like Mail, Notes, Safari, Maps, Calendar, Messages, Twitter, and Facebook are running in the background - and are making connections to the Internet. Most browsers are left open on the phone and are revealing dozens of websites you visited. In the first minute a snapshot of your life has already been made. When the data is sent over a secure SSH connection back to the sniffer’s server, a number of open source analytics tools may be used against your traffic including:
Ngrep packet search tool
Tshark and Wireshark traffic analysis tools
Tcpflow data stream capture tool
Dsniff suite’s passive monitoring tools
Tcpxtract for capturing files within Internet traffic.
If you’re working from home, your corporate emails, Voice over IP phone (VoIP) calls, and other official communications were concealed by encryption - either by application-specific encryption or by your company’s virtual private network. Encryption, when applied consistently, at least helps to thwart casual passive surveillance. But eavesdropping on regular popular internet services gives us valuable meta data. For example by reconstructing Google searches. Google encrypts searches by default now, but data leaks from Google’s search engine can easily give up a person’s searches once they’ve been de-anonymized - in part by using Google’s own “cookies” against a target. To provide its services, Google uses several cookies, small bits of unique text that are stored by users' Web browsers. One of these, the PREF cookie, tracks user identity separately from a Google login, in part to track what users search for and then to serve up context-appropriate advertisements. This unique identification capability means that cookies are also valuable to anyone else listening in. Even within Google’s encrypted sites, Google doesn’t encrypt PREF cookie data sent from the browser to various services. For example, Google’s secure search page makes calls out to Google Maps using the PREF cookie “in the clear,” along with unencrypted requests for maps embedded within search results. Thus, map data presented within the otherwise “secure” search results can offer hints about what the user was actually searching for - or even the street address.
From many data sources data can be plucked from a specific person or device out of the big data stream. Here are examples of various unique cookies:
- Hotmail GUIDs 420 million users (18 February 2013)
- Google prefIDs 425 million users (28 June 2012)
- YahooBcookies 281 million users (December 2012)
- mailruMRCU 100 million mail users, 260 million vk.com users (13 November 2014)
- yandexUid 50.5 million users 11 February 2013
- twitterHash 288 million monthly active users, (1st quarter of 2014)
- ramblerRUID rambler.ru 2.8 million daily visitors (April 2013 – June 2013)
- facebookMachine 1.23 Billion monthly active, 757 million daily active users (29 January 2014)
- doubleclickID (owned by Google)
Once you’ve left the (relative) safety of the major search, mail, and social media providers, the vast majority of what you do online is an open book. Most websites are unencrypted, as are the identifying cookies that Web browsers pass to them—cookies that can help unmask the people using those browsers. And while most of the major webmail services and other email providers have provided encryption to protect e-mail content between users and their mail servers, a significant portion of e-mail traffic between mail servers remains unencrypted - leaving the content open to perusal by governments or anyone else who can capture it. Extracting meaningful information from all that content doesn’t require that someone reads everything in it. They can scan for keywords or look for patterns in data that identify “entities”—known data structures such as a name, an e-mail address, or a phone number. They can also count the repetition of words within a document to provide analysts with a sense of what the text is about—“bomb instructions,” “divorce lawyers,” or “casual encounters.”
Many sites that can leak personal data don’t use encryption by default—or at all. In fact, many e-commerce websites allow users to perform searches and to access other information of a personal nature before logging in, only requiring a secure connection when it comes time to pay.
For example, if you search for something on Amazon or look at your wish list, your traffic is unencrypted by default. This traffic can include your name, birth date, and location, as well as searches for potentially embarrassing items.
Even applications that require a login and then encrypt parts of their traffic can leak personal data. Skype-to-Skype video and audio calls are encrypted, but it turns out the Skype client uses an unencrypted Web interface to retrieve the photo “avatars” for people in a user’s contact list. Part of that request contains the username of the contact, potentially revealing one's Skype contact list.
Phone apps
Your phone also leaks a substantial amount of data.
Crypto support. Facebook’s mobile security is fine on most current generation devices. But a Facebook app on an older Android device sends profile images and other photos unencrypted. Google searches from an Android 4.1.1 (“Jelly Bean”) device are unencrypted as well.
Geolocation. The iOS Weather application, which uses Yahoo’s Weather API, passed location in clear text. Images taken with the iOS Camera app include, by default, location data, full data about the phone itself, whether the front or rear-facing camera was used, and the compass direction the phone is facing when the camera fired. If phone images are posted via a non-secure app or e-mail account, this EXIF metadata can be easily detected in the packet stream.
Web history. Web activity showed up on collection from unclosed mobile Safari “tabs.” Safari stays live even when it’s been closed on the screen; behind the scenes, it can reload pages that were previously open.
Mobile Provider updates include default settings for a variety of services. iOS 5 iPhones automatically connect to the wifi SSID even without user intervention. One good reason for this “feature” is 3G offload. If WiFi is available (from the same provider) they would prefer data traffic use WiFi network, instead of cellular network. The most important reason not to have this behaviour enabled by default is related to security. Apple is exposing iPhones users to Man-in-the-Middle (MiTM) attacks.
A man-in-the-middle (MITM) attack occurs when an attacker inserts himself between two devices and is able to read, insert, and modify messages between the two devices.
The most difficult part of a MITM attack in wired networks is getting in the middle without being detected. Usually this requires physical access to the network increasing the chances of being discovered.
In wireless network an attacker can insert his device in the path of communication remotely and never expose himself making this one of the most dangerous types of wireless attacks. A MITM attack can be used to break connections such as SSL, SSH and VPN.
A wireless MITM utilizes a rogue access point, rogue station and phishing to exploit a user connected to the wireless network. Usually the rogue access point is implemented as a software based AP (access point) using a PC with dual wireless network interfaces. All mobile operators that implement EAP-SIM will provide the auto connect “service” to their wifi hotspot for their users. The MITM will have to break authentication based on the SIM card security (challenge-response).
Unencrypted VoIP calls . Call encryption prevents eavesdropping and tampering with secure VoIP calls.
App downloads. Monitoring the traffic to modern smartphones and tablets can also reveal which apps are being bought and downloaded. iOS apps and system updates are delivered to devices as unencrypted .zip files. Google Play Store content and apps and Android OS updates are also delivered unencrypted. Such encryption gaps don’t just provide a way to spy on what’s on someone’s phone; they also offer an opportunity for hackers to attack. Attackers could conceivably deliver an “evil” version of an app to a targeted phone - especially if the attackers can also fool the phone into connecting to their own malicious Wi-Fi access point. The digital signature on iPhone and Google Play apps makes this difficult at best. However, digital signatures for software vendors have been stolen in the past.
Even without resorting to more aggressive, active attacks, the amount of information that can be obtained with simple network tools is staggering. Surveillance technology has become a commodity these days.
On top of the above, 2014 gave us Heartbleed, Shellshock and POODLE. Approximately a Billion users alone where affected by the Heartbleed vulnerability. 40-60 Billion active smartphone applications may also share some of those same servers or connect to their own group of servers, which may also be compromised. Mobile users carrying smartphones and tablets who are not protected by an enterprise mobile management (EMM) solution are at far more risk than employees who are enrolled in an EMM solution at work. The threat landscape is always evolving, having EMM protection for business data and for the secure transmission of data from device to enterprise, mitigates the risk of data and credential loss.
Smartphone and tablet users who have downloaded applications from commercial app stores are exposed –that means all of us are vulnerable! The exposure comes mainly from an app connecting to a vulnerable server somewhere. Since at least 66% of servers connected to the Internet have a two-year exposure to this bug, we know there is a chance users may have already been compromised.
What was comprised, or could still be compromised, is unknown. Stolen information could include private keys to applications, username/passwords, bank account or payment information.
Someone may have listened, or still may be able to listen, to a VoIP call on instant messaging session. We know that the HeartBleed flaw is limited to what secrets a bad guy can steal from a 64K area of memory on a server that can be tricked into spilling its guts. This is a glimmer of good news
Security experts and system admins don’t know how pervasive the exposure is for Internet-connected, cloud and enterprise application servers.
The only real certainty here is that mobility has far more scale than any “desktop” issue. More people carry phones, and there are more mobile applications — both act as force multipliers to the cloud and other servers on the Internet that may have the OpenSSL vulnerability.
BYOD is here to stay, because it has already been with us since the beginning of the computer era. Thinking of BYOD, Businesses should handle insider threat as both a human management element (know your people – psychological, cyber, contextual) and a data feed element (normative data analyses on a given users normal behaviour).
The feed elements can be volumetric and frequency anomalies, rapidity (time) and then classifying this against a controlled agent. The book Black Swan has thought us that we need to make predictions for statistically rare events. In security this means we need to plan for future threats. But we should not waste time and money on predicting the impossible. We should look for red flags as they happen.
As the web keeps evolving we find that 2014 gave us new dimensions of things to plan for. Win XP when out of life in 2014, with China getting a special exception, as 57% of China’s web population is still using this older OS. Strategic decisions by big commercial companies like Microsoft, balance on market penetration versus piracy of their software. China’s pirate software market is 3 times larger than the legal market (9 vs. 2.7 Billion in 2012).
With 10–30% of computer users worldwide still using an XP, which is a favoured target for attackers and is now no longer being patched. Millions of people will be more vulnerable in the years to come.
Mac OS is seeing new comers in malware trying to fill up this previous quite scene.
Digital freedom had developments, with major companies and states taking actions to improve their user’s sense of privacy.
Web pages are becoming more dynamic for users. This means coders need to be more aware of secure coding to prevent issues like the tumblr worm or worse. Of the hundreds of millions of records that have been stolen via data breaches in 2014. 300,000 plus servers where hacked in order to steal login credentials for banking via a worm. This was just 1 example of many more attack operations that combined traditional attack techniques with existing vulnerabilities.
Enforcement has caught some major bad actors in 2014, but this is certainly a small amount of the total e-crime cases. Developers need to be more and more aware of secure coding and code audits. With battery draining bitcoin mining appsand Ransomware, including Cryptolocker that have proven to be exceptionally lucrative for attackers. Vigilance on downloads remains the most effective precaution mobile users can take to avoid Trojans.
Choose for Symantec as your partner in security at home and in business. We have gathered the most sophisticated features in security to give you back trust in the current digital era.
Sources:
http://www.internetlivestats.com/internet-users/
http://www.circlemud.org/jelson/software/tcpflow/
http://www.monkey.org/~dugsong/dsniff/
http://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images-internet-yahoo
http://tcpxtract.sourceforge.net/
https://bugzilla.mozilla.org/show_bug.cgi?id=368255
https://www.google.com/policies/technologies/types/
https://support.google.com/adsense/answer/113771?hl=en
http://httpshaming.tumblr.com/
http://www.wi-fiplanet.com/tutorials/article.php/1457211
http://www.vox.com/cards/heartbleed/how-does-the-heartbleed-attack-work
http://www.amazon.com/The-Black-Swan-Improbable-Robustness/dp/081297381X
http://www.cloudwedge.com/vulnerable-voice-ip-hacking/
http://www.cnet.com/news/behindthailands-high-tech-coup-stifling-online-dissent-q-a/
http://windows.microsoft.com/en-us/windows/lifecycle
http://www.pcworld.com/article/2103680/chinas-windows-xp-users-to-still-get-security-support.html
http://www.buzzfeed.com/ryanhatesthis/hacker-group-exploits-security-hole-in-tumblr#.anvRKM00B
http://www.bbc.com/news/technology-27691892
http://www.zdnet.com/pictures/2014-in-security-the-biggest-hacks-leaks-and-data-breaches/2/
http://krebsonsecurity.com/2014/05/ true-goodbye-using-truecrypt-is-not-secure/
https://threatpost.com/mac-trojan-steals-bitcoin-wallet-credentials/104152
http://www.symantec.com/connect/blogs/international-takedown-wounds-gameover-zeus-cybercrime-network
http://www.scmagazine.com/core-infrastructure-initiative-to-fund-openssl-audit/article/349068/
http://en.wikipedia.org/wiki/Android_version_history