Stealing ATM PINs with thermal cameras

At the USENIX Security Symposium last week, researchers Keaton Mowery, Sarah Meiklejohn and Stefan Savage from the University of California at San Diego presented their paper "Heat of the Moment: Characterizing the Ef?cacy of Thermal Camera-Based Attacks."

Inspired by previous research on safecracking by Micha? Zalewski, they thought it would be easier for a criminal to snoop on ATM PINs using a thermal (infrared) camera to detect residual heat from keypresses rather than current techniques using traditional video cameras.

Thermal image of ATM PIN padThermal imaging provides several advantages. Unlike with traditional cameras, visually masking the PIN pad does not defeat the attack, and the ability to automate PIN harvesting using computer software further simplifies the task.

The researchers gathered 21 volunteers and had them test 27 randomly selected PIN numbers using both a plastic PIN pad and a brushed metal PIN pad.

The strength of the participants' button presses and their body temperature were shown to affect the results to some degree. The researchers discovered that the metal pad made the attack nearly impossible to implement, but with the plastic PIN pad, it was even possible to determine from the heat signatures not only the numbers pressed but also the number order.

With the plastic PIN pad, the custom software the researchers wrote to automate the analysis had approximately an 80% success rate at detecting all digits from a frame 10 seconds after the person entered their PIN. The success rate was still over 60% using a frame 45 seconds after the PIN was entered.

Button recovery chartThe researchers also compared human analysis of the video footage to their automation software. It turns out that not only does the software work, but often performs more accurately than the humans looking at the video.

While thermal cameras are a bit expensive, this research suggests that thieves could adopt this technique in the future. It's easier to place and hide the camera, allows automated analysis and could return enough useful results to be profitable.

As far as we know, this attack hasn't been used in the wild, but the cautious among us could opt to use ATMs with metal PIN pads to reduce the risk of becoming a victim.

View This Poll

Follow @chetwisniewski

The ultimate password genius! (Not)

KeysIf I wasn't banging my head against a brick wall so hard, I might actually find this funny.

Consider this question.

"What's your favorite internet password?"

How would you feel if a website asked you tell it what your favorite password is?

Richard Wang, one of the threat experts in SophosLabs, pointed me towards the UPSJobs website, where you can create a profile if you're interested in investigating a career with the company.

As you can see in the video I made, it's easy to create an account - but they don't offer much help when it comes to choosing a sensible password to secure it.


(Enjoy this video? Check out more on the SophosLabs YouTube channel and subscribe if you like.)

The UPSJobs site actually encourages you not to use a unique password, but instead to use a password that other people might be able to guess (such as the name of your most loved pet or movie).

What really gob smacks me, however, is that they should prompt users to use their "favorite internet password"! That's hardly a safe thing to encourage.

What's your favorite internet password? [Click for a larger version]

It actually gets worse. When I first created a profile on UPSJobs, and tried to use a half-decent password (one that contained extended characters such as exclamation marks, and dollar signs), the site wouldn't accept it as my password.

Again, by refusing to accept a more complex password they were actively encouraging me to choose a simpler, easier-to-hack password.

On many occasions Naked Security has written about how to choose a strong password, but it shouldn't be forgotten that websites can do more to assist security too and help prevent innocent users from making unsafe choices.

Follow @gcluley

* Image source: canonsnapper's Flickr photostream (Creative Commons)


Aldi supermarkets withdraw infected hard disks

The Australian media is full of reports that the local arm of German-headquartered supermarket giant Aldi has been selling removable hard drives complete with a pre-installed virus.

Aldi joins an extensive list of companies which have managed similar snafus in the past, including IBM (pre-infected USB keys, given away at a security conference, no less), Olympus (pre-infected cameras),Samsung (pre-infected phones) and Best Buy (pre-infected digital picture frames).

Oh, and Aldi (pre-infected PCs). That's right - Aldi has done this before.

Last time, back in 2007, the virus it shipped was Angelina - a boot sector virus which relies on floppy disks to spread and was largely considered extinct, but obviously wasn't. This time, I'm afraid we don't yet have a name for the virus.

Someone from SophosLabs in North Sydney is making a dash to the local Aldi to see if he can find one that hasn't been withdrawn from sale yet.

If we find out any more details, I'll update this article; if not, I'm sure he'll take the opportunity to pick up a few 24-packs of potato crisps and a couple of metric dozens of ice-cream cornets whilst he's there, so it won't be a wasted trip.

(Update: our field researcher reports that the afflicted devices have gone without a trace, or perhaps were never offered in stores. He sadly failed to return with any comestibles, but did admit to have been "eyeing the pizza oven and the meat slicing machine like in delis." SophosLabs prosciutto pizza, anyone?)

Apparently, the affected device is an external 4-in-1 hard drive, DVD, USB and card reader device. It's still being offered on-line, and at $99, it sounds like quite a useful peripheral to go with a budget netbook which doesn't have much storage or memory card slots of its own. But if you've bought one, I recommend you give it a thorough virus scan.

Or simply zap the hard drive, removing and recreating all the partitions on it. You'll lose all of the freebie software pre-installed on the hard disk, but that's actually highly desirable since the one thing you now know is that you can't trust any of it.

Aldi, one imagines, will now be shopping for a more reliable supplier of peripherals.

Follow @duckblog

Lady Gaga website stays strangely silent over database hack

Lady Gaga hackedA gang of hackers known as SwagSec announced at the tail end of last week that they had hacked into Lady Gaga's UK website and made off with a database of names and email addresses of fans. To prove their point, they published the stolen data online.

The press reported that a source close to Lady Gaga said that she was:

"upset and hopes police get to the bottom of how this was allowed to happen"

If she was upset, she made no mention of the hack on her Twitter page, and posted no apology to her UK fans for the poor website security. She wasn't, however, too upset to tweet about Emmy award nominations or to drop a line to Cher about doing a duet remix.

Although it's right that the authorities should be informed regarding SwagSec's illegal activities, there should surely be some recognition at Gaga HQ that perhaps the website was doing a lousy job at securing its fans' information?

Lady Gaga user database

Lady Gaga's record label, Universal, said it had confirmed that the hack had occurred and said that police had been informed:

"The hackers took a content database dump from www.ladygaga.co.uk and a section of email, first name and last name records were accessed. There were no passwords or financial information taken. We take this very seriously and have put in place additional measures to protect personally identifiable information. All those affected have been advised."

The risk to users who had their details compromised, of course, is that they could have been the subject of targeted attacks. Imagine how many of them might have opened an attachment or clicked on a link if they received an email claiming to be about free tickets for a Lady Gaga concert, or a sneak preview of her new video.

But although Universal says that it has contacted everyone who was affected - can they be confident that they know the extent of SwagSec's hack? After all, the hack is claimed to have occurred weeks ago, but was only made public by SwagSec at the end of last week.

Wouldn't it be more open and transparent to have a message to fans of the Lady Gaga UK website, telling them all what occurred. I went looking and couldn't find anything to warn the wider array of Lady Gaga fans.

You may remember that the SwagSec hacking group defaced Amy Winehouse's website earlier this month as well.

One wonders what eccentric female troubadour they will target next..

Follow @gcluley

Apple iOS 4.3.4 jailbreak bugfix jailbroken already

Most iPhone and iPad users are perfectly happy with the software on the device as it is shipped by Apple.

A minority, however, prefer to open up their devices. By doing this, they can:

* Run applications and extensions not approved by Apple.

* Download software from alternative appstores, without tying those downloads to an Apple account.

* Access all the files and configuration data on their device directly, in order better to understand and secure it.

Liberating your device sounds like a great idea, but this behaviour has been stigmatised amongst corporate users.

Firstly, the action of removing artificial security restrictions is known as "jailbreaking," making it sound like a doubly-dangerous criminal act. (Since only crooks are supposed to be in jail in the first place, jailbreakers are not only criminals, but recidivists to boot.)

Secondly, jailbreaking opens up the less security-savvy user to additional risks. Some jailbreakers don't take on the additional responsibility which goes with the increased power over their device. That's how the now-infamous iPhone viruses Ikee and Duh were able to spread.

Thirdly, jailbreaking isn't supposed to be possible. So every jailbreak relies on you exploiting a software vulnerability to escape from Apple's artificial strictures. That means you have to trust the creators of the jailbreak not to abuse the exploit you're choosing to run against your device.

The flipside, of course, is that those who don't jailbreak their phones are trusting Apple not to leave the sort of exploitable hole that would permit crooks to break into the internals of their device.

And Apple hasn't been terribly trustworthy on that score. Despite a solid commercial reason for keeping its devices secure - namely, that an unjailbroken device can only shop at the Apple AppStore - few of Apple's operating system versions stay safe for very long.

Early in July, the JailbreakMe site published an automated, on-line method for opening recent iDevices running iOS 4.3.3.

(The jailbreakers also provided a patch by which you could close the remotely exploitable hole, for your own safety, after jailbreaking.)

Apple, to its credit, caught up within two weeks with an iOS update to version 4.3.4, closing the hole used by JailbreakMe.

But the jailbreakers claim to be back in already. By all reports, the latest jailbreak doesn't work for iPad2 users, and it can't be done simply by visiting a website.

You need to plug your device in to a computer, in what's called a "tethered" jailbreak, and you need to re-jailbreak it every time you reboot.

Nevertheless, Apple's latest security fix has been circumvented already.

With this in mind, the tricky question becomes, "Whom should I trust more: Apple or the jailbreakers?"

I can't answer that question - and if your iDevice is provided by your company, you shouldn't try to answer it by yourself.

Perhaps the best way to approach the issue is to rephrase it more equivocally, in the manner of Google, which sets out not to be evil, rather than actually to be good.

So, if you're thinking of jailbreaking, ask yourself, "Do I distrust the jailbreakers." If not, then jailbreaking may be for you. Just be sure to read all the security guidelines associated with the process, and be sure you have the explicit permission of the owner of the device.

PS. I have an iPad. It is jailbroken.

Follow @duckblog

Apple releases iOS 4.3.4/4.2.9 to fix JailBreakMe.com flaw

Hands holding jail barsAfter a little more than a week after disclosure, Apple has patched three flaws in iOS for iPod Touch, iPad, iPad2, iPhone 3GS, iPhone 4 and the Verizon iPhone.

You may recall the return of the website JailBreakMe.com 10 days ago which exploited these vulnerabilities to provide an easy method of jailbreaking your iDevice.

The updated version for all but the Verizon iPhone is version 4.3.4, while Verizon customers can update to 4.2.9. To update just open iTunes, check for updates and plug in your phone/MP3 player/tablet.

This raises one of my big pet peeves with Apple products.. Why do I have to tether to update? Oh! I see you will have that feature in iOS 5? I guess I will stay vulnerable until I happen to be in the same city as my copy of iTunes...

JailBreakMe do not update warningTwo of the fixes are for font handling issues in PDFs that allow for remote code execution (RCE). The third fix is in the graphics handling code and can be exploited to allow for elevation of privilege (EoP).

It appears the JailBreakMe.com hack used at least two of the three flaws to jailbreak the iDevices. It initially downloaded a PDF to gain the ability to run arbitrary code and then sent down a PNG file that elevated itself to root to perform the jailbreak.

If your phone is not jailbroken, I recommend updating as soon as possible. If you have jailbroken your device you will need to decide if you wish to trust the unofficial "patch" on Cydia and stay jailbroken, or if you should join the herd and go with Apple.


‘Foreign government’ hackers steal secret Pentagon plans

BlueprintThe US Deputy Defense Secretary William Lynn has revealed that a foreign intelligence agency was behind a hack attack that stole classified information about a top secret weapons system.

According to Aviation Week, the weapons system, which is under development, might have to be redesigned after the files were stolen from a military contractor's computer network.

Plans and confidential blueprints were included in the haul of 24,000 files said to have been copied by the hackers.

The revelation came to light as William Lynn gave a speech at the National Defense University (NDU) in Washington DC, outlining his department's "first ever strategy for operating in cyberspace". Recognising that the problem extended beyond its own networks, the Pentagon is piloting a program to share classified intelligence about threats with select military contractors and their ISPs.

NDU was somehow an appropriate venue for the speech - Lynn told his audience that the National Defense University itself had fallen victim to hackers after its "website and its associated server were recently compromised by an intrusion that turned over system control to an unknown intruder."

William Lynn speech

Lynn's speech contained much jaw-jaw about the nature of cyberwar - and how it could vary from destructive attacks to information theft:

"Tools capable of disrupting or destroying critical networks, causing physical damage, or altering the performance of key systems, exist today. The advent of these tools mark a strategic shift in the cyber threat - a threat that continues to evolve. As a result of this threat, keystrokes originating in one country can impact the other side of the globe in the blink of an eye. In the 21st Century, bits and bytes can be as threatening as bullets and bombs."

"But disruptive and destructive attacks are only one end of a continuum of malicious activity in cyberspace that includes espionage, intellectual property theft, and fraud. Although in the future we are likely to see destructive or disruptive cyber attacks that could have an impact analogous to physical hostilities, the vast majority of malicious cyber activity today does not cross this threshold."

"In looking at the current landscape of malicious activity, the most prevalent cyber threat to date has been exploitation - the theft of information and intellectual property from government and commercial networks."

ChessI have always been nervous of the tendency amongst governments to point fingers at foreign nations and blame them for an internet attack. For instance, Lynn claims that a foreign government was involved in the hack, but does not say which one.

You have to ask yourself, why the reluctance to say which country? And if you don't know which country, how do you know it was any country?

Of course, the US Deputy Defense Secretary has shown himself to be tight-lipped on matters to do with internet attacks in the past. For instance, he declined to confirm or deny if the USA had been responsible for the Stuxnet virus.

And we shouldn't be naive. Just because it's hard to prove that a particular country was behind a particular cyber attack, doesn't mean that that country is whiter-than-white when it comes to such things.

My suspicion is that all countries are using the internet to their advantage when engaged in espionage - whether it be for political, economic or military ends.

Nuclear buttonWhat surprises me, however, is that Lynn claims that these sort of "sophisticated capabilities" (the ability to hack into military contractor computer systems and steal files) is almost exclusively within the abilities of nation states, and that the only thing stopping countries from using the internet to destroy their enemies is the risk of a military counter-attack:

"Today, sophisticated cyber capabilities reside almost exclusively in nation-states. Here, U.S. military power offers a strong deterrent against overtly destructive attacks. Although attribution in cyberspace can be difficult, the risk of discovery and response for a major nation is still too great to risk launching destructive attacks against the United States. We must nevertheless guard against the possibility that circumstances could change, and we will have to defend against a sophisticated adversary who is not deterred from launching a cyber attack."

Of course, terrorists probably wouldn't fear a counter-attack like this. Why haven't they launched a destructive strike against the United States? Well, Lynn has an answer for that:

"If a terrorist group gains disruptive or destructive cyber tools, we have to assume they will strike with little hesitation. And it is clear that terrorist groups, as well as rogue states, are intent on acquiring, refining, and expanding their cyber capabilities."

Hmm. So, thank goodness that only governments know how to get their hands on the most dangerous and destructive internet weapons and that the rest of the world just isn't as sophisticated..

The PentagonMarine Gen. James Cartwright, Vice Chairman of the Joint Chiefs of Staff, told the press gathered at NDU that he believed a defensive approach to cyberwar is insufficient, and that the current situation of the Pentagon being 90% focused on defensive measures and 10% on offensive, should be reversed.

One thing is clear amongst all this talk - computer security needs to be taken seriously. Cybercriminals, whether state-sponsored or not, are regularly going beyond damaging and defacing websites to stealing sensitive information which could have more than a financial value. You would be foolish to ignore such a threat, and ensure that you have strong defences in place.

Meanwhile, the US Department of Defense says that it is now treating cyberspace as an operational domain - alongside land, air, sea and space. As such, I think we can expect to see more speeches warning about the perils that the United States faces from other nations and terrorist forces.

Follow @gcluley

Further reading: You can read the full speech by William Lynn on the defense.gov website.


Zeus for Android and fake Kaspersky Antivirus 2011

Android shotOver the weekend I wrote about the discovery of the potential Android component of the Zeus information-stealing toolkit (also known as Zitmo).

I wanted to share an update as there are further developments which have been uncovered about the relationship between the Zeus toolkit and Andr/SMSRep-B.

Thanks to Denis from Kaspersky Labs we can now confirm that the fake Trusteer Rapport application is related to malicious websites set up as command-and-control servers for several Zeus/Zbot botnets.

The server-side Zeus application checks for the User-Agent string of the HTTP requests and delivers the malicious payload based on the browser type.

In the case of Android. the default browser User-Agent string will be similar to "Mozilla/5.0 (Linux; U; Android 2.2)..." and from there the operating system can be easily determined.

On a separate note, it seems that the tradition of malware pretending to be legitimate anti-virus software for Android is extending.

After Trusteer, the next target is Kaspersky Labs. Yesterday, I had a chance to analyse a sample of Android malware which attempts to fool the user into installing the package by looking like a legitimate Kaspersky Antivirus 2011 product.

The application package uses an icon similar to the Kaspersky Lab icon, but the actual functionality is far less useful than the functionality of the legitimate product.

When the package is launched the malware attempts to get the unique device id number and transform it into an "activation code". The fake activation code is then displayed in a standard Android view.

Fake Kaspersky Antivirus 2011

In the background, the application installs a broadcast receiver that attempts to intercept SMS messages and send them to a web server set up by the attacker.

Luckily, in the case of this malware (which Sophos detects as Andr/SMSRep-C), the command-and-control web server IP address is 127.0.0.1 (localhost), which does not make the malware very useful.

Clearly, this is just an early test build and we will have to be on watch for the next version which will be connected with a real malicious server.

Although the functionality of Andr/SMSRep-B and Andr/SMSRep-C is quite similar, the code does not indicate that they have been developed by the same author.


Google+ runs out of disk space, spams users with notifications

Google PlusSome early adopters of Google+ have found themselves bombarded with multiple notification messages in their email, due to a bug in the social networking's code after the site - astonishingly - ran out of disk space.

Vic Gundotra, Senior Vice-President of Social for Google, posted an apology (appropriately enough) on his Google+ account to those users affected, painting the social network as having been a victim of its own success.

Google spam apology

Please accept our apologies for the spam we caused this afternoon.

For about 80 minutes we ran out of disk space on the service that keeps track of notifications. Hence our system continued to try sending notifications. Over, and over again. Yikes.

We didn't expect to hit these high thresholds so quickly, but we should have.

Thank you for helping us during this field trial, and once again, we are very sorry for the spam.

It's pretty embarrassing for Google+ to suffer from such a bug - you can hardly imagine how the site could conceivably "run out of disk space", even if it is still technically undergoing trials.

High profile sufferers included Rory Cellan-Jones, BBC News's technology correspondent, an influential reporter who would hardly be high on your list of people you want to slate the social network.

Follow @ruskin147Rory Cellan-Jones@ruskin147
Rory Cellan-Jones
Getting zillions of Google+ emails, including duplicates which is apparently a bug. Already dubious about its usefulness...

Of course, accidental spam like this is better than being hit by spam containing Viagra adverts, phishing messages and malicious links - but it's still a nuisance and precisely the kind of irritating bug that is likely to upset users.

If you are on Google+, and want to keep informed about the latest security news, consider adding me to one of your circles.

Follow @gcluley

MasterCard.com brought down in apparent Wikileaks-motivated internet attack

MasterCard and WikiLeaksMasterCard's website was knocked offline earlier today following a WikiLeaks-inspired internet attack against it.

In what appears to be the latest salvo by hactivists, the mastercard.com website is thought to have suffered from a denial-of-service attack - where an internet site is bombarded with a large amount of traffic making it impossible for genuine visitors to access it.

A Twitter user called ibomhacktivist seems to be taking responsibility for the attack, and links the action to the WikiLeaks-inspired attack on MasterCard by the Anonymous group last year.

Tweet about Mastercard.com website

MasterCard.com DOWN!!!, thats what you get when you mess with @wikileaks @Anon_Central and the enter community of lulz loving individuals :D

MasterCard angered the hacktivist community after it suspended the ability for WikiLeaks to accept payments via the firm. Police in the Netherlands arrested two teenagers for allegedly playing their part in the attacks last year.

WikiLeaks is a subject which tends to generate strong emotions - whether you're in favour of what the organisation stands for, or against it.

Computer users would be wise, however, to remember that even if you feel WikiLeaks is being persecuted by the authorities or abandoned by online companies, denial-of-service attacks are still illegal.

I'll update this article with more information as it becomes available, or alternatively follow me on Twitter.

Follow @gcluley

Update: The MasterCard.com website appears to be back online. It will be interesting to see if it stays up, or whether it will sporadically disappear again. Fingers crossed.