Stealing ATM PINs with thermal cameras

At the USENIX Security Symposium last week, researchers Keaton Mowery, Sarah Meiklejohn and Stefan Savage from the University of California at San Diego presented their paper "Heat of the Moment: Characterizing the Ef?cacy of Thermal Camera-Based Attacks."

Inspired by previous research on safecracking by Micha? Zalewski, they thought it would be easier for a criminal to snoop on ATM PINs using a thermal (infrared) camera to detect residual heat from keypresses rather than current techniques using traditional video cameras.

Thermal image of ATM PIN padThermal imaging provides several advantages. Unlike with traditional cameras, visually masking the PIN pad does not defeat the attack, and the ability to automate PIN harvesting using computer software further simplifies the task.

The researchers gathered 21 volunteers and had them test 27 randomly selected PIN numbers using both a plastic PIN pad and a brushed metal PIN pad.

The strength of the participants' button presses and their body temperature were shown to affect the results to some degree. The researchers discovered that the metal pad made the attack nearly impossible to implement, but with the plastic PIN pad, it was even possible to determine from the heat signatures not only the numbers pressed but also the number order.

With the plastic PIN pad, the custom software the researchers wrote to automate the analysis had approximately an 80% success rate at detecting all digits from a frame 10 seconds after the person entered their PIN. The success rate was still over 60% using a frame 45 seconds after the PIN was entered.

Button recovery chartThe researchers also compared human analysis of the video footage to their automation software. It turns out that not only does the software work, but often performs more accurately than the humans looking at the video.

While thermal cameras are a bit expensive, this research suggests that thieves could adopt this technique in the future. It's easier to place and hide the camera, allows automated analysis and could return enough useful results to be profitable.

As far as we know, this attack hasn't been used in the wild, but the cautious among us could opt to use ATMs with metal PIN pads to reduce the risk of becoming a victim.

View This Poll

Follow @chetwisniewski

The ultimate password genius! (Not)

KeysIf I wasn't banging my head against a brick wall so hard, I might actually find this funny.

Consider this question.

"What's your favorite internet password?"

How would you feel if a website asked you tell it what your favorite password is?

Richard Wang, one of the threat experts in SophosLabs, pointed me towards the UPSJobs website, where you can create a profile if you're interested in investigating a career with the company.

As you can see in the video I made, it's easy to create an account - but they don't offer much help when it comes to choosing a sensible password to secure it.


(Enjoy this video? Check out more on the SophosLabs YouTube channel and subscribe if you like.)

The UPSJobs site actually encourages you not to use a unique password, but instead to use a password that other people might be able to guess (such as the name of your most loved pet or movie).

What really gob smacks me, however, is that they should prompt users to use their "favorite internet password"! That's hardly a safe thing to encourage.

What's your favorite internet password? [Click for a larger version]

It actually gets worse. When I first created a profile on UPSJobs, and tried to use a half-decent password (one that contained extended characters such as exclamation marks, and dollar signs), the site wouldn't accept it as my password.

Again, by refusing to accept a more complex password they were actively encouraging me to choose a simpler, easier-to-hack password.

On many occasions Naked Security has written about how to choose a strong password, but it shouldn't be forgotten that websites can do more to assist security too and help prevent innocent users from making unsafe choices.

Follow @gcluley

* Image source: canonsnapper's Flickr photostream (Creative Commons)


Toshiba website hacked – email addresses and passwords exposed

Toshiba logoToshiba announced this weekend that a web server run by its US sales subsidiary had been hacked, and the email addresses, telephone numbers and passwords of hundreds of customers had been compromised.

The Japanese electronics firm said that the server was run by Toshiba America Information Systems Inc., and held personal data relating to 7,520 customers. Fortunately, according to the firm, the personal information exposed did not include any credit card data.

Nevertheless, you don't want your email address and password falling into hands of malicious hackers.

Not only could cybercriminals "try out" your passwords to see if they unlock any of your other online accounts (too many people use the same password on multiple websites), but they could also target you with attacks pretending to come from Toshiba.

After all, you have a business relationship with Toshiba - so you would be less suspicious of opening an email or clicking on a link which appeared to have been sent by them. Especially if some clever social engineering made the email appear particularly enticing.

A Toshiba spokesperson told the Wall Street Journal, that the Toshiba subsidiary's IT staff first noticed a problem with the web server on July 11th, and confirmed on July 13th that it had been hacked.

"We will continue the investigation and intend to thoroughly protect customers' information and manage (related computer) systems to prevent a recurrence."

All customers potentially affected by the hack are said to have been informed of the problem by the firm.

If you run a website it's essential to ensure it is as secure as possible from hacker attacks.

If you haven't already done so, read this informative paper by SophosLabs, "Securing websites", which covers some of the issues.

Follow @gcluley

Lady Gaga website stays strangely silent over database hack

Lady Gaga hackedA gang of hackers known as SwagSec announced at the tail end of last week that they had hacked into Lady Gaga's UK website and made off with a database of names and email addresses of fans. To prove their point, they published the stolen data online.

The press reported that a source close to Lady Gaga said that she was:

"upset and hopes police get to the bottom of how this was allowed to happen"

If she was upset, she made no mention of the hack on her Twitter page, and posted no apology to her UK fans for the poor website security. She wasn't, however, too upset to tweet about Emmy award nominations or to drop a line to Cher about doing a duet remix.

Although it's right that the authorities should be informed regarding SwagSec's illegal activities, there should surely be some recognition at Gaga HQ that perhaps the website was doing a lousy job at securing its fans' information?

Lady Gaga user database

Lady Gaga's record label, Universal, said it had confirmed that the hack had occurred and said that police had been informed:

"The hackers took a content database dump from www.ladygaga.co.uk and a section of email, first name and last name records were accessed. There were no passwords or financial information taken. We take this very seriously and have put in place additional measures to protect personally identifiable information. All those affected have been advised."

The risk to users who had their details compromised, of course, is that they could have been the subject of targeted attacks. Imagine how many of them might have opened an attachment or clicked on a link if they received an email claiming to be about free tickets for a Lady Gaga concert, or a sneak preview of her new video.

But although Universal says that it has contacted everyone who was affected - can they be confident that they know the extent of SwagSec's hack? After all, the hack is claimed to have occurred weeks ago, but was only made public by SwagSec at the end of last week.

Wouldn't it be more open and transparent to have a message to fans of the Lady Gaga UK website, telling them all what occurred. I went looking and couldn't find anything to warn the wider array of Lady Gaga fans.

You may remember that the SwagSec hacking group defaced Amy Winehouse's website earlier this month as well.

One wonders what eccentric female troubadour they will target next..

Follow @gcluley

Goatse hacker pleads guilty to stealing iPad user data

Hacker typingDaniel Spitler, an alleged member of the Goatse Security hacking group, has pleaded guilty to breaking into AT&T's systems and obtaining the email addresses of iPad users.

The story of how a vulnerability on AT&T's website allowed outsiders to scoop up the email addresses of early adopters of the Apple iPad made huge news headlines this time last year.

Goatse (don't Google it, trust me..) bombarded the AT&T website service with thousands of requests using made-up ICC-ID codes (an internal code used to associate a SIM card with a particular subscriber).

By flooding the website with so many made-up ICC-IDC codes, some were bound to relect a genuine one, and when this happened the website believed them to be a genuine iPad user and revealed the associated email address.

Email addresses. Image source: Gawker

In total, about 120,000 iPad users were said to have had their email addresses exposed. The court in Newark, New Jersey heard that victims of the hack included New York Mayor Michael Bloomberg, ABC News anchor Diane Sawyer and Rahm Emanuel, who was the White House chief of staff at the time.

26-year old Spitler, who hails from San Francisco, is scheduled to be sentenced on September 28th, and could face a maximum penalty of five years in prison and a $250,000 fine.

In all honesty, although taking the information was clearly against the law, the hack probably received so much media attention at the time purely because it was iPad-related rather than because of the data that was taken.

That's not to say that you want your email address exposed (it could potentially have become a victim of phishing attacks, for instance, targeting iPad owners) but there is presumably much more damaging information that could have been taken.

Another man, 25-year-old Andrew Auernheimer, has pleaded not guilty to the hacking charges and continues to faces prosecution.

Follow @gcluley

Hackers break into Tony Blair’s webmail server, disclose former PM’s address book

Tony BlairA hacking group known as TeaMp0isoN have published private information belonging to former Prime Minister Tony Blair.

TeaMp0isoN have been in the news recently for allegedly hacking into a web site they claimed belonged to a member of LulzSec.

This time they targeted a webmail server used by Tony Blair in December of 2010. It is unclear why they waited for so long to disclose the breach and there is no evidence as of yet to confirm their story.

The information disclosed includes "Tony Blair Office Members Information, Tony Blair Address & Phone Book (Includes family, friends, MPs & lords) and Katie Kay Curriculum vitae (Tony Blairs special adviser)."

Screen capture of stolen Blair address book

Information on Mr. Blair's friends and colleagues includes names, home addresses, home, work and cell phone numbers and email addresses. Additionally Mr. Blair's National Insurance Number (NIN) and Ms. Kay's CV (resume) are also included in the dump.

We don't know what specific flaws were exploited in this attack, but seeing that it is a webmail server the most likely method was SQL injection. It is extremely important to keep web servers patched and up to date, especially if they are running Linux using commonly exploited CMSs, webmail solutions and blogging software.

TeaMp0isoN logo

This attack like many we have reported on this year appears to be politically motivated. The TeaMp0isoN attackers called Mr. Blair a war criminal in a Twitter post and much of the language used is derogatory.


Dropbox lets anyone log in as anyone – so check your files now!

Customers of cloud-based file storing-and-sharing company Dropbox should check on the data they've entrusted to the service, following the company's admission that it messed up its access controls for several hours.

(Updated: please see footnote below.)

Unlike the majority of data breaches we've reported on lately - where usernames and passwords were stolen, allowing attackers and miscreants to access other people's accounts illegally - Dropbox's "hack" was of a more embarrassing sort.

Apparently, Dropbox published a code update which inadvertently removed the need to authenticate. So you could log in to other people's accounts without knowing their passwords at all. (Dropbox isn't alone in having made this sort of mistake. Facebook did something similar last year, leading to Mark Zuckerberg's own fan page being hacked.)

Ouch.

One popular use of services like Dropbox is to get around the restrictions many companies put on emailing around large files. If I'm working at home and have a huge spreadsheet which I know my IT manager won't let through the email gateway, I can just upload it to Dropbox and share the resulting web link with my colleagues.

In theory, the risk of this should be no worse that me copying the file to a USB key and letting my colleagues copy it from there. (In fact, if you're not careful with USB keys, they may pose a larger risk than sharing web links, since the USB key may contain other files - such as malware - besides the spreadsheet you just saved on it.)

But the safety of a web link allowing you to share a file "through the cloud" depends very strongly on who's able to access that link. If anyone can download it, you run the risk of data leakage. And if anyone can access and modify it, you run the risk of something much worse.

Dropbox can also automatically synchronise your own files between all your various devices, such as your desktop PC, your Mac laptop and your smartphone.

In the company's own promotional video, an intrepid adventurer named Josh uses Dropbox to share and to synchronise detailed information between his numerous devices for his forthcoming safari in Africa.

That means that unauthorised access to your Dropbox data could give cybercrooks an enormous amount of information about your life, your plans and your identity. And unauthorised modification of your Dropbox data could propagate incorrect information throughout your digital world.

Dropbox did well to fix the problem within four hours, and to admit this openly on its blog.

But the "eternal beta" flavour of many cloud services - where updates and improvements are rolled out regularly and frequently to suit the service provider rather than its users - is an often-underestimated risk.

By the way, one way to improve the safety of web-based file sharing is to encrypt the files you share before you upload them. Only someone with the password will be able to decrypt those files. And if you don't have the password, you won't be able to alter their content, either.

If you're interested, Sophos has a free tool for Windows users that you can use to encrypt and compress sensitive information. You can use it for free both commercially and personally.

* Download now (direct download, no registration, Windows only)

* Learn more

Footnote. As alert Twitterer Andy Durdin points out, you can readily see if someone else has changed your Dropbox files. But you can't see if someone else has been snooping through your data.

Dropbox suggests on its blog that less than 1% of accounts were accessed during the unprotected period, and that it will contact those users in case the access was unauthorised.

If your account was accessed, be sure to ask Dropbox for a detailed log of what happened so you can find out what got stolen as well as what got changed. Unauthorised access and unauthorised modification are both bad for your digital well-being.

Follow @duckblog

Citibank victimized by hackers, insists cardholders are safe

CitiCardReuters is reporting that Citibank's systems were hacked, resulting in a loss of Personally Identifiable Information (PII).

Citibank says that data for 1% of their cardholders was accessed through this breach, but customers' Social Security Numbers (SSNs), birth dates, card expiration dates and CVV codes are safe.

Information that may have been disclosed to the hackers includes customers' names, account numbers, contact details and email addresses.

According to Citibank's website they are the world's largest provider of credit cards, issuing more than 150,000,000 cards globally. Based on these numbers, information for 1,500,000 or more individuals may have been compromised.

In April Paul Gaulant, former head of the bank's credit card unit, told Reuters, "Security breaches happen, they're going to continue to happen ... the mission of the banking industry is to keep the customer base safe and customers feeling secure about their financial transactions and payments."

That may be true, but feeling secure is not the same as being secure. How this information was acquired and why it wasn't protected against theft is a far more important question.

Citi has stated they will notify customers believed to be affected by the breach.

Customers affected by this incident should be on high alert for scams, phishing and phone calls purporting to be from Citibank and their subsidiaries.

While Citi customers aren't likely to have fraudulent charges against their accounts as a result of this breach, they are likely to encounter social engineering attempts to enable further crime.

Considering that the attackers have your name, account number and other sensitive information they are able to provide a very convincing cover story to victims.

Never accept incoming communications purporting be from financial institutions you do business with, whether by email or phone call. Call them back using only the phone numbers published on your cards or statements. When logging in to perform online transactions, always enter their website address directly in your browser. Never click links.

Update: It has been confirmed that there are approximately 220,000 cardholders affected by this incident as it was limited to just US customers. The number above was based on all Citibank cardholders.


Infragard Atlanta, an FBI affiliate, hacked by LulzSec

Infragard logoIn a self-titled hack attack called "F**k FBI Friday" the hacking group known as LulzSec has published details on users and associates of the non-profit organization known as Infragard.

Infragard describes itself as a non-profit focused on being an interface between the private sector and individuals with the FBI. LulzSec published 180 usernames, hashed passwords, plain text passwords, real names and email addresses.

Where did the plain text passwords come from? Considering LulzSec was able to decrypt them it would imply that the hashes were not salted, or that the salt used was stored in an insecure manner.

One interesting point to note is that not all of the users passwords were cracked... Why? Because these users likely used passwords of reasonable complexity and length. This makes brute forcing far more difficult and LulzSec couldn't be bothered to crack them.

In addition to stealing data from Infragard, LulzSec also defaced their website with a joke YouTube video and the text "LET IT FLOW YOU STUPID FBI BATTLESHIPS" in a window titled "NATO - National Agency of Tiny Origamis LOL".

Infragard Atlanta's defaced website

Aside from defacing their site and stealing their user database, they tested out the users and passwords against other services and discovered many of the members were reusing passwords on other sites - an violation of FBI/Infragard guidelines.

LulzSec singled out one of these users, Karim Hijazi, who used his Infragard password for both his personal and corporate Gmail accounts according to the hackers.

They've published a BitTorrent with what they claim are nearly 1000 of Hijazi's corporate emails and a IRC chat transcript that proclaims to be a conversation they had with him.

They also disclosed a list of personal information including his home address, mobile phone and other details.

It's hard to say when these attacks will end, but a great start would be to carefully analyze your security practices and ensure that your data is properly encrypted and to regularly scan your servers for vulnerabilities.

As for LulzSec? It appears they have declared war on one of the premier police forces in the world... Their fate remains a mystery.


Sony Europe hacked by Lebanese hacker… Again

Story updated 5-June-2011: Information on the SonyPictures.RU attack can be found at the end of the post.

By my count this is unlucky hack number 13 for Sony. A Lebanese hacker known as Idahc dumped another user database at Sony Europe containing approximately 120 usernames, passwords (plain text), mobile phone numbers, work emails and website addresses.

Snapshot of database dump on pastebin

The attacker claims that he used standard SQL injection techniques to acquire the database. I think it is fair to say it appears that Sony has not learned anything from the previous 12 attacks.

SQL injection flaw? Check. Plain text passwords? Check. People's personally identifiable information totally unprotected? Check.

Idahc tweet about Sony hackIdahc is the same attacker who targeted the Canadian Sony Ericsson site in May, 2011. In his note on pastebin he states: "I was Bored and I play the game of the year : 'hacker vs Sony'." He posted the link to pastebin with the simple note "Sony Hacked: pastebin.com/OMITTED lol."

If you are a database administrator (especially a Sony one) and want to avoid your sensitive data from ending up in the headlines I recommend you actually test your web applications for SQL vulnerabilities.

A great resource with detailed information on how to protect against SQL injection attacks is available at codeproject.com.

You can also download our free technical paper Securing Websites.

Update: In addition to the attack detailed above, the hacking group known as LulzSec has compromised SonyPictures.RU through another SQL injection flaw. No personal information was disclosed in the attack; it appears to have been designed just to continue to point out security flaws in Sony's infrastructure to create PR problems for the media giant. In the note, LulzSec left a message: "In Soviet Russia, SQL injects you..."

Pastebin of sonypictures.ru