Bait Phone
You may be familiar with the truTV program Bait Car, where the police place a vehicle equipped with hidden cameras and radio trackers in various areas to catch a would be car thief in the act. It’s kinda fun to watch people ‘check out’ the car, check out the surroundings and decide to jump in and drive off. You get to see their excitement as they think that they’ve just won the jackpot along with the utter despair as officers remotely kill the car and the thief is surrounded. Even the excuses as to why they are driving it are hilarious. ‘I was just moving it for my friend, so they wouldn’t get a ticket, whose name I forgot and I also can’t remember where they live.’ In the UK, they got something similar except with mobile phones called ‘Operation Mobli.’ Plain clothes police purposely left "bait" phones embedded with tracking devices in nine pubs and bars across the towns of Hastings and St Leonards in Sussex. I’m not sure what makes and models of phones were left for the taking but none of the baited devices were stolen. In every case, an honest patron noticed the ‘forgotten’ phone and turned in to the bar staff. Some might describe this sting as a failure but according to the Sussex Police’s press release Sgt Ché Donald said, ‘This was an excellent result and my faith has been restored as the phones were honestly handed in.’ I often write about the potential perils of losing a smartphone crammed with private data and all the unfortunate circumstances that follow. If it gets into the wrong hands then that is the case yet we must also remember that there are plenty of good, honest folks out there who will do the right thing when they find something that doesn’t belong to them. Maybe they’ve seen police sting shows, maybe they’ve lost something themselves, maybe their parents raised them right or maybe it’s simply kindness and honesty that’s built into every one of us. Human’s are capable of the greatest good and the nastiest of evil, it’s all how we decide to play it. ps References: Operation Mobli deters mobile phone thieves in Hastings Police mobile phone sting fails when.. err.. no handsets stolen Mobile-phone 'sting' reveals honesty of Sussex pubgoers Police Sting Operation Yields No Mobile Phone Thefts It's legal: cops seize cell phone, impersonate owner What’s in Your Smartphone? Freedom vs. Control BYOD–The Hottest Trend or Just the Hottest Term Will BYOL Cripple BYOD?695Views0likes1CommentICSA Certified Network Firewall for Data Centers
The BIG-IP platform is now ICSA Certified as a Network Firewall. Internet threats are widely varied and multi-layered. Although applications and their data are attackers’ primary targets, many attackers gain entry at the network layer. Internet data centers and public-facing web properties are constant targets for large-scale attacks by hacker/hactivist communities and others looking to grab intellectual property or cause a service outage. Organizations must prepare for the normal influx of users, but they also must defend their infrastructure from the daily barrage of malicious users. Security administrators who manage large web properties are struggling with security because traditional firewalls are not meeting their fundamental performance needs. Dynamic and layered attacks that necessitate multiple-box solutions, add to IT distress. Traditional firewalls can be overwhelmed by their limited ability to scale under a DDoS attack while keeping peak connection performance for valid users, which renders not only the firewalls themselves unresponsive, but the web sites they are supposed to protect. Additionally, traditional firewalls’ limited capacity to interpret context means they may be unable to make an intelligent decision about how to deliver the application while also keeping services available for valid requests during a DDoS attack. Traditional firewalls also lack specialized capabilities like SSL offload, which not only helps reduce the load on the web servers, but enables inspection, re-encryption, and certificate storage. Most traditional firewalls lack the agility to react quickly to changes and emerging threats, and many have only limited ability to provide new services such as IP geolocation, traffic redirection, traffic manipulation, content scrubbing, and connection limiting. An organization’s inability to respond to these threats dynamically, and to minimize the exposure window, means the risk to the overall business is massive. There are several point solutions in the market that concentrate on specific problem areas; but this creates security silos that only make management and maintenance more costly, more cumbersome, and less effective. The BIG-IP platform provides a unified view of layer 3 through 7 for both general and ICSA required reporting and alerts, as well as integration with SIEM vendors. BIG-IP Local Traffic Manager offers native, high-performance firewall services to protect the entire infrastructure. BIG-IP LTM is a purpose-built, high-performance Application Delivery Controller designed to protect Internet data centers. In many instances, BIG-IP LTM can replace an existing firewall while also offering scale, performance, and persistence. Performance: BIG-IP LTM manages up to 48 million concurrent connections and 72 Gbps of throughput with various timeout behaviors, buffer sizes, and more when under attack. Protocol security: The BIG-IP system natively decodes IPv4, IPv6, TCP, HTTP, SIP, DNS, SMTP, FTP, Diameter, and RADIUS. Organizations can control almost every element of the protocols they’re deploying. DDoS prevention capabilities: An integrated architecture enables organizations to combine traditional firewall layers 3 and 4 with application layers 5 through 7. DDoS mitigations: The BIG-IP system protects UDP, TCP, SIP, DNS, HTTP, SSL, and other network attack targets while delivering uninterrupted service for legitimate connections. SSL termination: Offload computationally intensive SSL to the BIG-IP system and gain visibility into potentially harmful encrypted payloads. Dynamic threat mitigation: iRules provide a flexible way to enforce protocol functions on both standard and emerging or custom protocols. With iRules, organizations can create a zero day dynamic security context to react to vulnerabilities for which an associated patch has not yet been released. Resource cloaking and content security: Prevent leaks of error codes and sensitive content. F5 BIG-IP LTM has numerous security features so Internet data centers can deliver applications while protecting the infrastructure that supports their clients and, BIG-IP is now ICSA Certified as a Network Firewall. ps Resources: F5’s Certified Firewall Protects Against Large-Scale Cyber Attacks on Public-Facing Websites F5 BIG-IP Data Center Firewall – Overview BIG-IP Data Center Firewall Solution – SlideShare Presentation High Performance Firewall for Data Centers – Solution Profile The New Data Center Firewall Paradigm – White Paper Vulnerability Assessment with Application Security – White Paper Challenging the Firewall Data Center Dogma Technorati Tags: F5, big-ip, virtualization, cloud computing, Pete Silva, security, icsa, iApp, compliance, network firewall, internet, TMOS, big-ip, vCMP465Views0likes1CommentYou’ll Shoot Your Eye Out…
…is probably one of the most memorable lines of any Holiday Classic. Of course I’m referring to A Christmas Story, where a young Ralphie tries to convince his parents, teachers and Santa that the Red Ryder BB Gun is the perfect present. I don’t know of there was a warning label on the 1940’s edition box but it is a good reminder from a security perspective that often we, meaning humans, are our own worst enemy when it comes to protecting ourselves. Every year about 100 or so homes burn down due to fried turkeys. A frozen one with ice crystals straight in or the ever famous too much oil that overflows and toasts everything it touches. Even with the warnings and precautions, humans still take the risk. Warning: You can get burned badly. As if the RSA breach wasn’t warning enough about the perils of falling for a phishing scam, we now learn that the South Carolina Department of Revenue breach was also due to an employee, and it only takes one, clicking a malicious email link. That curiosity lead to over 3.8 million Social Security numbers, 3.3 million bank accounts, thousands of credit cards along with 1.9 million dependant’s information being exposed. While the single click started it all, 2-factor authentication was not required and the stored info was not encrypted, so there is a lot of human error to go around. Plus a lot of blame being tossed back and forth – another well used human trait – deflection. Warning: Someone else may not protect your information. While working the SharePoint Conference 2012 in Vegas a couple weeks ago, I came across a interesting kiosk where it allows you to take a picture and post online for free to any number of social media sites. It says ‘Post a picture online for free.’ but there didn’t seem to be a Warning: ‘You are also about to potentially share your sensitive social media credentials or email, which might also be tied to your bank account, into this freestanding machine that you know nothing about.’ I’m sure if that was printed somewhere, betters would think twice about that risk. If you prefer not to enter social media info, you can always have the image emailed to you (to then share) but that also (obviously) requires you to enter that information. While logon info might not be stored, email is. Yet another reason to get a throw away email address. I’m always amazed at all the ways various companies try to make it so easy for us to offer up our information…and many of us do without considering the risks. In 2010, there were a number of photo kiosks that were spreading malware. Warning: They are computers after all and connected to the internet. Insider threats are also getting a lot of attention these days with some statistics indicating that 33% of malicious or criminal attacks are from insiders. In August, an insider at Saudi Aramco released a virus that infected about 75% of the employee desktops. It is considered one of the most destructive computer sabotages inflicted upon a private company. And within the last 2 days, we’ve learned that the White House issued an Executive Order to all government agencies informing them of new standards and best practices around gathering, analyzing and responding to insider threats. This could be actual malicious, disgruntled employees, those influenced by a get rich quick scheme from an outsider or just ‘compromised’ employees, like getting a USB from a friend and inserting it into your work computer. It could even be simple misuse by accident. In any event, intellectual property or personally identifiable information is typically the target. Warning: Not everyone is a saint. The Holidays are still Happy but wear your safety glasses, don’t click questionable links even from friends, don’t enter your logon credentials into a stray kiosk and a third of your staff is a potential threat. And if you are in NYC for the holidays, a limited run of "Ralphie to the Rescue!" A Christmas Story, The Musical is playing at the Lunt-Fontanne Theatre until Dec 30th. ps References How One Turkey Fryer Turned Into A 40-foot Inferno That Destroyed Two Cars And A Barn S.C. tax breach began when employee fell for spear phish 5 Stages of a Data Breach Thinking about Security from the Inside Out Obama issues insider threat guidance for gov't agencies National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs Insiders Big Threat to Intellectual Property, Says Verizon DBIR Negligent Insiders and Malicious Attacks Continue to Pose Security Threat Infographic: Protect Yourself Against Cybercrime The Exec-Disconnect on IT Security "Ralphie to the Rescue!" A Christmas Story, The Musical Opens On Broadway Nov. 19255Views0likes0CommentsApache Server Status–> Status Secured
You know, working at F5 has some real perks. Cool gatherings, good workspace and my favorite part, really really REALLY smart people. I often tell people who as why I love working at F5 “The best part about it, is standing up, looking around, and realizing, I am surrounded by really smart, knowledgeable people.” A great example of this came across my virtual desk in the tubes just last friday. A group of our FSE (Field support engineers) and SA’s (Solution Architects) put out a great advisory regarding in information disclosure vulnerability from Apache server status. Check out the highlights below: ------------------------------------------------------------------------------ Apache has a very useful functionality called server-status that allows administrators to easily find how well their servers are performing. It is basically an HTML page that displays the number of process working, status of each request, IP addresses that are visiting the site, pages that are being queried and things like that. All good. However, this feature can also have security implications if you leave it wide open to the world. Anyone would be able to see who is visiting the site, the URLs, and sometimes even find hidden (obscure) admin panels or files that should not be visible to the outside. http://blog.sucuri.net/2012/10/popular-sites-with-apache-server-status-enabled.html http://urlfind.org/?server-status Below is a simple iRule to mitigate against this issue. This was written for v11 F5 TMOS. Step 1 Create a String-type data group called “bad_uris” containing the string of “/server-status/” (without quotations). No value is necessary. Also if you wanted to block other common attacks you could add /cmd.exe to this list… ltm data-group internal /Common/bad_uris { records { /server-status/ { } } type string } Step 2 Create the following irule and modify the page below to point to an errorpage or maintenance page on your site when HTTP_REQUEST { if { [class match [URI::decode [string tolower [HTTP::uri]]] contains bad_uris] } { HTTP::respond 302 Location "http://company.com/errorpage.html" Cache-Control No-Cache Pragma No-Cache } Step 3 Apply the irule to your web app Virtual Server, under resources. Example of Apache Server Status Data: ------------------------------------------------------------------------------ End of Original Transmission Pretty cool eh? What this really allows us to do is protect all the apache servers in the environment that come through the F5. This helps protect us from the little mistakes that can/are made spinning up a new server. If the new intern spins up the new server and forgets that they left this page out there, the F5 can make sure that external forces can’t access it. Give it a shot, it’s a very low overhead iRule. Major shoutouts to the crew: Matt Fearnow Rob Eberhardt Aaron Hooley David Remington for this great doc! Peace out all! Josh322Views0likes0CommentsBYOD Policies – More than an IT Issue Part 4: User Experience and Privacy
#BYOD or Bring Your Own Device has moved from trend to an permanent fixture in today's corporate IT infrastructure. It is not strictly an IT issue however. Many groups within an organization need to be involved as they grapple with the risk of mixing personal devices with sensitive information. In my opinion, BYOD follows the classic Freedom vs. Control dilemma. The freedom for user to choose and use their desired device of choice verses an organization's responsibility to protect and control access to sensitive resources. While not having all the answers, this mini-series tries to ask many the questions that any organization needs to answer before embarking on a BYOD journey. Enterprises should plan for rather than inherit BYOD. BYOD policies must span the entire organization but serve two purposes - IT and the employees. The policy must serve IT to secure the corporate data and minimize the cost of implementation and enforcement. At the same time, the policy must serve the employees to preserve the native user experience, keep pace with innovation and respect the user's privacy. A sustainable policy should include a clear BOYD plan to employees including standards on the acceptable types and mobile operating systems along with a support policy showing the process of how the device is managed and operated. Some key policy issue areas include: Liability, Device Choice, Economics, User Experience & Privacy and a trust Model. Today we look at User Experience & Privacy. User Experience and Privacy Most application deployments have the user experience in mind and BYOD is no different. Employees want and need fast and secure access to the right resources, at the right time to accomplish their job. BYOD only enhances or increases the need for a rich user experience. Understand how the policy impacts user experience including battery life. Some apps can drain battery life quickly, which in turn decreases user satisfaction and can potentially limit their interactions. There may be instances where the user has chosen a third-party email application verses either the native email client or one that's supported by corporate. Certainly a dilemma but as stated earlier, a policy should state what's allowed and not allowed. MDM technology is also improving to the point that Secure apps like a browser, email client and other resources are secured on the client device. A user can still use their email client of choice for personal use but work email is delivered through the secure email client. While user experience can contribute to the happiness and productivity of the user/employee, privacy can be a huge issue when BYOD is implemented. A 2010 Supreme Court case, City of Ontario v. Quon, looked at the extent to which the right to privacy applies to electronic communications in a government workplaces. This case also looked at Fourth Amendment rights against unreasonable search and seizure. Essentially, a number of police officers were fired for sending sexually explicit message with a city issued device. The city requested an audit of the overages along with the sent messages. The officers sued since the agreement/policy they had with the city allowed them to send personal notes and pay for any overages that might occur. Plus they claimed that their constitutional right was violated along with their privacy under federal communications laws. The court ruled that since they were using city issued devices, the municipality was well within their rights to search since it was work related and it had not violated the Fourth Amendment. If everything was the same but the devices were personally owned by the officers in question, then the city could be in violation and liable. Within the BYOD policy, organizations should also establish a social contract that communicates how and when IT will monitor the device along with when/how/why a device could be wiped. As part of the BYOD Policy the User Experience & Privacy Checklist, while not inclusive, should: · Identify what activities and data must be monitored · Determine the circumstances when a device wipe must occur · Determine how employees can self-remediate · Determine which core services will be delivered to users · Draft a BYOD social contract with Human Resources ps Related BYOD Policies – More than an IT Issue Part 1: Liability BYOD Policies – More than an IT Issue Part 2: Device Choice BYOD Policies – More than an IT Issue Part 3: Economics BYOD–The Hottest Trend or Just the Hottest Term FBI warns users of mobile malware Will BYOL Cripple BYOD? Freedom vs. Control What’s in Your Smartphone? Worldwide smartphone user base hits 1 billion SmartTV, Smartphones and Fill-in-the-Blank Employees Evolving (or not) with Our Devices The New Wallet: Is it Dumb to Carry a Smartphone? Bait Phone BIG-IP Edge Client 2.0.2 for Android BIG-IP Edge Client v1.0.4 for iOS New Security Threat at Work: Bring-Your-Own-Network Legal and Technical BYOD Pitfalls Highlighted at RSA272Views0likes0CommentsBYOD Policies – More than an IT Issue Part 2: Device Choice
#BYOD or Bring Your Own Device has moved from trend to an permanent fixture in today's corporate IT infrastructure. It is not strictly an IT issue however. Many groups within an organization need to be involved as they grapple with the risk of mixing personal devices with sensitive information. In my opinion, BYOD follows the classic Freedom vs. Control dilemma. The freedom for user to choose and use their desired device of choice verses an organization's responsibility to protect and control access to sensitive resources. While not having all the answers, this mini-series tries to ask many the questions that any organization needs to answer before embarking on a BYOD journey. Enterprises should plan for rather than inherit BYOD. BYOD policies must span the entire organization but serve two purposes - IT and the employees. The policy must serve IT to secure the corporate data and minimize the cost of implementation and enforcement. At the same time, the policy must serve the employees to preserve the native user experience, keep pace with innovation and respect the user's privacy. A sustainable policy should include a clear BOYD plan to employees including standards on the acceptable types and mobile operating systems along with a support policy showing the process of how the device is managed and operated. Some key policy issue areas include: Liability, Device choice, Economics, User Experience & Privacy and a trust Model. Today we look at Device Choice. Device Choice People have become very attached to their mobile devices. They customize and personalize and it's always with them, to the point of even falling asleep with the device. So ultimately, personal preference or the 'consumerization of IT' notion is one of the primary drivers for BYOD. Organizations need to understand, what devices employees prefer and what devices do employees already own. That would could dictate what types of devices might request access. Once organizations get a grasp on potential devices, they then need to understand each device's security posture. About 10 years ago, RIM was the first technology that really brought the Smartphone into the workplace. It was designed to address the enterprise's needs and for years was the Gold Standard for Enterprise Mobility. Management control was integrated with the device; client certificate authentication was supported; Active Directory/LDAP servers were not exposed to the external internet; the provisioning was simple and secure; organizations could manage both Internet access and intranet access, and IT had end point control. When Apple's iPhone first hit the market, it was purely a consumer device for personal use and was not business centric, like the BlackBerry. Initially, the iPhone did not have many of the features necessary to be part of the corporate environment. It was not a business capable device. It did not support applications like Exchange, which is deployed in many organizations and is critical to a user's day-to-day activities. Over time, the iPhone has become a truly business capable device with additional mechanisms to protect end users. Android, very popular with consumers, also offers numerous business apps but is susceptible to malware. Device selection is also critical to the end user experience. Surveys show that workers are actually more productive when they can use their personal smartphone for work. Productivity increases since we prefer to use our own device. In addition, since many people like to have their device with them all the time, many will answer emails or do work during non-work hours. A recent survey indicated that 80% of Americans work an extra 30 hours a month on their own time with BYOD. But we are much happier. A few blogs ago, I wrote about Good Technology’s BYOD survey, found that organizations are jumping on the phenomenon since they see real ROI from encouraging BYOD. The ability to keep employees connected (to information) day and night can ultimately lead to increased productivity and better customer service. They also found that two of the most highly regulated industries - financial services and health care - are most likely to support BYOD. This shows that the security issues IT folks often raise as objections are manageable and there's major value in supporting BYOD. Another ROI discovered through the survey is that since employees are using their own devices, half of Good’s customers don't pay anything for the employees' BYOD devices – essentially, according to Good, getting employees to pay for the productivity boost at work. As part of the BYOD Policy the Device Choice Checklist, while not inclusive, should: · Survey employees about their preferences and current devices · Define a baseline of acceptable security and supportability features · Do homework: Read up on hardware, OS, and regional variances · Develop a certification program for future devices · Work with Human Resources on clear communication to employees about which devices are allowed–or not–and why ps Related BYOD Policies – More than an IT Issue Part 1: Liability BYOD–The Hottest Trend or Just the Hottest Term FBI warns users of mobile malware Will BYOL Cripple BYOD? Freedom vs. Control What’s in Your Smartphone? SmartTV, Smartphones and Fill-in-the-Blank Employees Evolving (or not) with Our Devices The New Wallet: Is it Dumb to Carry a Smartphone? Bait Phone BIG-IP Edge Client 2.0.2 for Android BIG-IP Edge Client v1.0.4 for iOS New Security Threat at Work: Bring-Your-Own-Network Legal and Technical BYOD Pitfalls Highlighted at RSA233Views0likes0CommentsBYOD Policies – More than an IT Issue Part 1: Liability
#BYOD or Bring Your Own Device has moved from trend to an permanent fixture in today's corporate IT infrastructure. It is not strictly an IT issue however. Many groups within an organization need to be involved as they grapple with the risk of mixing personal devices with sensitive information. In my opinion, BYOD follows the classic Freedom vs. Control dilemma. The freedom for user to choose and use their desired device of choice verses an organization's responsibility to protect and control access to sensitive resources. While not having all the answers, this mini-series tries to ask many the questions that any organization needs to answer before embarking on a BYOD journey. Enterprises should plan for rather than inherit BYOD. BYOD policies must span the entire organization but serve two purposes - IT and the end users. The policy must serve IT to secure the corporate data and minimize the cost of implementation and enforcement. At the same time, the policy must serve the employees to preserve the native user experience, keep pace with innovation and respect the user's privacy. A sustainable policy should include a clear BOYD plan to employees including standards on the acceptable types and mobile operating systems along with a support policy showing the process of how the device is managed and operated. Some key policy issue areas include: Liability, Device choice, Economics, User Experience & Privacy and a trust Model. Today we look at Liability. Liability In addition to IT, an organization's Legal department needs to be involved with any BYOD policy creation to make sure the liability risk for both the user and company is contained and managed. While employees are an organization's greatest asset (other than Intellectual Property, potentially), they are often the culprits of data exposure, intentional or not. Organizations need to consider employee actions and the corresponding liability. If the employee owns the device, does the liability increase or decrease? Even if liability stays neutral, the overall business risk increases any time corporate data is accessed from personal employee devices, mobile or not. What happens if personal data on a personal Smartphone is damaged? What happens if it's remotely wiped by corporate IT, if it is lost? These are some areas that must be resolved with the BYOD policy. Some organizations are very clear about lost/stolen policy and users have the choice of opting out. That's just the personal liability. From a financial liability standpoint, what happens when monthly charges are reimbursed? Often, financial responsibility may dictate legal obligation. A recent Ponemon Institute and Websense survey showed that mobile devices can be a double-edge sword for enterprises. 77% of the 4640 responses said that the use of mobile devices in the workplace is important to achieving business objectives but almost the same percentage - 76% - believe that these tools introduce a "serious" set of risks. While organizations understand the risks, the survey showed that only 39% have security controls in place to mitigate them. As a result, 59% of respondents said they’ve seen a jump in malware infections over the past 12 months due, specifically, to insecure mobile devices including laptops, Smartphone, and tablets while 51% said their organization has experienced a data breach due to insecure devices. As part of the BYOD Policy the Liability Checklist, while not inclusive, should: · Define baseline security requirements · Assess liability of personal web and app usage · Evaluate legal ramifications of reimbursement · Quantify the costs of monitoring and enforcement · Assess the risk and liability of damaging personal data There are probably a ton more Liability questions that should be answered but this was intended as a starting point. What other areas should legal be concerned about? ps Related BYOD–The Hottest Trend or Just the Hottest Term Will BYOL Cripple BYOD? Freedom vs. Control What’s in Your Smartphone? SmartTV, Smartphones and Fill-in-the-Blank Employees Evolving (or not) with Our Devices The New Wallet: Is it Dumb to Carry a Smartphone? Bait Phone BIG-IP Edge Client 2.0.2 for Android BIG-IP Edge Client v1.0.4 for iOS New Security Threat at Work: Bring-Your-Own-Network Legal and Technical BYOD Pitfalls Highlighted at RSA228Views0likes0CommentsFrom Car Jacking to Car Hacking
With the promise of self-driving cars just around the corner of the next decade and with researchers already able to remotely apply the brakes and listen to conversations, a new security threat vector is emerging. Computers in cars have been around for a while and today with as many as 50 microprocessors, it controls engine emissions, fuel injectors, spark plugs, anti-lock brakes, cruise control, idle speed, air bags and more recently, navigation systems, satellite radio, climate control, keyless entry, and much more. In 2010, a former employee of Texas Auto Center hacked into the dealer’s computer system and remotely activated the vehicle-immobilization system which engaged the horn and disabled the ignition system of around 100 cars. In many cases, the only way to stop the horns (going off in the middle of the night) was to disconnect the battery. Initially, the organization dismissed it as a mechanical failure but when they started getting calls from customers, they knew something was wrong. This particular web based system was used to get the attention of those who were late on payments but obviously, it was used for something completely different. After a quick investigation, police were able to arrest the man and charge him with unauthorized use of a computer system. University of California - San Diego researchers, in 2011, published a report (pdf) identifying numerous attack vectors like CD radios, Bluetooth (we already knew that) and cellular radio as potential targets. In addition, there are concerns that, in theory, a malicious individual could disable the vehicle or re-route GPS signals putting transportation (fleet, delivery, rental, law enforcement) employees and customers at risk. Many of these electronic control units (ECUs) can connect to each other and the internet and so they are vulnerable to the same internet dangers like malware, trojans and even DoS attacks. Those with physical access to your vehicle like mechanics, valets or others can access the On-Board Diagnostic System (OBD-II) usually located right under the dash. Plug in, and upload your favorite car virus. Tests have shown that if you can infect the diagnostics tools at a dealership, when cars were connected to the system, they were also infected. Once infected, the car would contact the researcher’s servers asking for more instructions. At that point, they could activate the brakes, disable the car and even listen to conversations in the car. Imagine driving down a highway, hearing a voice over the speakers and then someone remotely explodes your airbags. They’ve also been able to insert a CD with a malicious file to compromise a radio vulnerability. Most experts agree that right now, it is not something to overly worry about since many of the previously compromised systems are after-market equipment, it takes a lot of time/money and car manufactures are already looking into protection mechanisms. But as I’m thinking about current trends like BYOD, it is not far fetched to imagine a time when your car is VPN’d to the corporate network and you are able to access sensitive info right from the navigation/entertainment/climate control/etc screen. Many new cars today have USB ports that recognize your mobile device as an AUX and allow you to talk, play music and other mobile activities right through the car’s system. I’m sure within the next 5 years (or sooner), someone will distribute a malicious mobile app that will infect the vehicle as soon as you connect the USB. Suddenly, buying that ‘84 rust bucket of a Corvette that my neighbor is selling doesn’t seem like that bad of an idea even with all the C4 issues. ps250Views0likes0CommentsParking Ticket Privacy
Imagine getting a $20 parking ticket and then filing suit against the issuing municipality for exposing too much personal information on that ticket. That’s exactly what Jason Senne did after receiving a $20 parking ticket in 2010 for illegally parking his car overnight in the Chicago ‘burb of Palatine, Ill. His name, address, driver's license number, date of birth, height and weight all appeared on the ticket, which was placed on his windshield in full public view. Senne's complaint alleged that disclosure of his identity was in violation of the Driver’s Privacy Protection Act of 1994 (DPPA). DPPA requires that all states protect a driver's name, address, phone number, Social Security number, driver identification number, photograph, height, weight, gender, age, and specific medical or disability information. Congress passed the privacy legislation in response to the death of actress Rebecca Schaeffer. She was killed by a stalker who had gotten her unlisted home address through the California DMV. In Senne’s case, initially a federal judge found that an exception for law enforcement protected the village's actions, and a 3-judge panel of the 7th Circuit affirmed that last year. Senne pushed and the full federal appeals court agreed to rehear the case. Last week, the full federal appeals court decided Monday that ‘the parking ticket at issue here did constitute a disclosure regulated by the DPPA.’ In a 7-4 ruling, the appeals court said that it didn’t matter if someone walking by happened to notice the personal info – just the fact that it was exposed in such a public manner was enough. The earlier district court decision, in favor of Palatine Village, was based on the notion that a ‘disclosure’ was when an entity turned over information to someone else without consent and was not considered disclosure. In this case, there was no direct handoff, just the ticket flapping on the windshield/wiper blade in plain sight. In the overturned ruling, the divided court felt that there was real risk, safety and security concerns at stake. A stalker looking for a target could just hang out where overnight parking is banned and collect a bunch of potential victim’s info for future harassment. The recent court’s interpretation of the law might also expose Palatine to a hefty $80 million fine. Since there is a 4 year statute of limitations on private lawsuits and each privacy violation carries a $2500 penalty, all those tickets issued during that time frame with the protected info could be in play. It’s an interesting case about privacy and how others, without malicious intent, may expose personal, sensitive details about an individual. While identity theft due to electronic means, like data breaches, is on the rise, stolen wallets or physical documents (dumpster diving) still account for a good percentage of ID theft crimes. Back in 2009, a Javelin study indicated that stolen wallets and physical documents accounts for 43% of all identity theft (pdf) which means we still need to shred our printed materials. ps References: Privacy Issue in Parking Tickets, Full Circuit Says Appeals court reinstitutes parking ticket lawsuit against Palatine Detailed Parking Tickets Breach Personal Privacy, Appeals Court Says Court Says Parking Tickets Could Be Illegal Senne v. Village of Palatine Driver Information Can Be Sold for Commercial Use Under DPPA (FindLaw's Seventh Circuit Blog) Driver's Privacy Protection Act Seems Fairly Useless (FindLaw's Sixth Circuit Blog) Dumpster Diving vs. The Bit Bucket259Views0likes0CommentsInfographic: Protect Yourself Against Cybercrime
Maybe I’ll start doing an ‘Infographic Friday’ to go along with Lori’s F5 Friday. This one comes to us from Rasmussen College's School of Technology and Design Cyber Security Program and shows the online risks and offers some good tips on how to better protect your computer and avoid being a victim of cybercrime. ps405Views0likes0Comments