Wednesday, January 14, 2015

Weekly Deep Dive: Germany may Secure Communications with Typewriters


This story sat in my draft folder as my human offspring, wife's writing career, shellshock, and poodle consumed my life. I think this story is still an interesting blend of old and new security issues that is worth posting.

This story originally broke in July of 2014.

Miss Germany could not be reached
for comment on this story.
Multiple stories detailed a German parliamentary committee that examined ways to address NSA spying within Germany. One of the options discussed: switching to mechanical typewriters. You read that correctly, not just typewriters, but mechanical typewriters. The fear is electronic typewriters may prove to have some ability to be monitored.

I adore this: low tech foiling of high tech espionage. Billions of dollars in state-of-the-art monitoring brought down by the humble mechanical typewriter.

The German committee already uses encrypted emails, secure electronic communications, and places their phones in a metal box when convened to prevent eavesdropping.

Would creating documents on a mechanical typewriter really stop the interception of communications? What precautions should the German Parliament take if they use mechanical typewriters?

Are you a security professional working for a law firm or financial institution that still uses electric typewriters? If so, this discussion could applicable to you. Anything used to create and store information falls into the domain of the information security professional and must be protected.

After the jump we will discuss how typewriters relate to the CIA triad along with ways mechanical typewriters could be monitored. We will also cover how you can create controls to protect typewriters and the documents made on them. 

Monday, January 12, 2015

#PWNED - United States Central Command Twitter Account Hacked


A group claiming to be part of ISIS hacked the US Central Command Twitter profile today in an act
of "cyber terrorism". While the attackers were in control of this account they made threats and posted documents with "sensitive military information".

There are a few very important things to note:
There are however a few serious concerns and they aren't items I see making the rounds in news posts.
  • I would hope that US Central Command would realize their Twitter account was at least as hackable as these celebrities.
  • I've heard no confirmation of two-factor authentication being used which is available to anyone with a phone and a Twitter account for free. 
  • Why do these accounts exist in the first place? Is there a public outcry for tweets from Central Command about their goings on? #InternationalMilitaryCollaboration #WhereMyAlliesAt
  • How did they do it? We may never really know. Password resets are tied to email accounts with wildly varying reset processes and security questions. A breach of the email account used for password reset is as good as a breach of the targeted system. Let this story of account access spiraling out of control serve as a cautionary tale. 
I often wonder if accounts like this are not a form of honeypot. A nice sticky gooey Twitter account just begging to be defaced by script kiddies the world over. It's off the DoD network and can be used to gather information about groups that would attack DoD systems were this low hanging fruit not there. A curious thought for sure.

What I would bet on is this:

  1. Somewhere the person in charge of this account is at a table having a terrible, horrible, no good, very bad day.
  2. The person on the other side of the table is ordering someone in DoD telecom to issue a Blackberry that stays locked in a safe at CentCom. This Blackberry will be used just for two-factor twitter authentication.
  3. A team of very serious people are combing through a mountain of logs files to determine the source of the unauthorized account access. 
In the end... this is a prank. There is egg and that egg is located on someones face. There is no real danger beyond the shame of a major military organization having their Twitter "pwned". 

What can you do to secure your Twitter feed?
Remember, reputation is just as important as information. Protect your accounts even if the information stored on them is low value. Someone could use that access against you and harm your reputation. Just ask @centcom.


Saturday, January 10, 2015

Security Theater: ATM Admin Panel Publicly Accessible

...SecuritySensesTinglingDroolingIntensifies...

During a stop at my local national chain gas station I found this inexplicable ATM configuration. I did my best to obfuscate a lot of the detail while preserving the details are "there". I also scratched out areas where the chain name is easily seen.

I would've gotten closer, but I didn't want to look like I was casing the place. There is little difference between security research and premeditation. Not to mention, I was not authorized to try and untangle this security rats nest. Observation is all I could really do.

What you see is the backside of the outside facing ATM. You can also see a touchscreen access panel that, at the time, was giving a number of interesting error codes. The top half seems to be a simple double wafer lock. Based on this talk the key could likely be purchased on the Internet for about $10. There are notes on the ATM regarding how and when to put it in supervisor mode, its ID, who to call for support, etc. The supervisor mode is activated by the rear touch screen.

Sure, there are cameras. Sure, there are people in the store. Sure, the cash is in the vault at the bottom and is better protected. However, I would bet if I walked in looking like an ATM repair guy and introduced myself they would be all too happy to let me go about my business. ATMs are not the bastion of security people think they are and they need to have better security than this. Recently two teenagers "hacked" ATMs using the manufacturer default passwords. At Defcon 18 there was a wonderful demo on remotely "jackpotting" ATMs to get them to spit out all their cash. All you needed in the demo was access to that top box and a little know how. Recently these attacks have shown up in Europe.

This is security theater. It makes you feel safe using the device while completely lacking in common sense security.