Security Resources

Security News and Information

Security-related events and commentary from around the web, with emphasis on issues that affect physical, electronic, and data security management.

Next Generation Product Protection Coming Soon…

MWV Natralock with SirenTamper-Resistant Packaging

In the works for several years, this new packaging uses graphene printing technology (conductive ink) to create a concealed, low-cost circuit that is destroyed when opened. A battery-operated module sounds an alarm if someone attempts to cut or open the package before purchase. The alarm module would be removed at the point of sale and reused.

The solution, offered by MeadWestvaco, promises to reduce the cost and complexity of other product protection devices such as alarming wraps (aka SpiderWraps™) and boxes (aka Keepers or Safers). The idea that almost any size product could be protected by the same snap-on alarm module would have broad appeal within retail. Today, it is common for each store to stock numerous sizes of wraps, boxes, and tags – with some merchandise lacking desired protection solely due to their shape. The cost to store and apply these devices can be significant, but when the alternative is locking up merchandise, most retailers find it acceptable. Numerous studies have shown that securing products in cabinets or behind checkout counters results in a significant reduction in sales, compared with open-display merchandising.

The “Natralock® with Siren™” may have an additional tamper-resistant benefit, since the circuit shape and location is embedded within the layers of packaging material. As long as the alarm module and its connections to the packaging are not easily defeated, the system as a whole could prove to be more difficult to bypass without triggering an alarm.

Proteqt-thumbdrive-secadvBenefit-Denial

Another new type of product protection technology is being offered by Proteqt. The solution consists of a “lock” that can be placed on products at the point of manufacturing or packaging, and is electronically released at the point of sale using radio frequency communication. Upon opening the packaging, the purchaser is able to remove and discard the lock. A review of the manufacturer’s website provides little detail about the security involved in the unlocking process, but it is presumably [hopefully] several steps above the magnetically-released locks found in most store-applied security tags.

This category of products is called “benefit denial” because an attempt to remove the lock before it is deactivated results in damage to the merchandise, typically rendering it unusable or unsaleable. Related products include clothing security tags containing ink capsules that break if the tags are forcibly removed, and DVD packaging with “teeth” that tear into the product unless removed using a special key.

 

 

Resources Added

bullet_infoA new section has been created on the site for posting helpful resources and links.

You will see that “Resources” has been added to the top menu bar, and includes these items to start:

Video Resolution Information – with acronyms and dimensions of popular formats. A great reference that is also available as a PDF.

Industry links – Chances are, most of these will be familiar, but this list will be curated to contain only the best sources of information on the web.

POS Malware Found in 40 Countries

PC_with_creditcardsAs reported by the Israel-based IT security firm, Seculert, malware has been found in POS systems in 40 countries, stealing credit card information from hundreds of thousands of consumers. Why should this matter to security integrators? Read on…

“Dexter” – the name given to the malware – appears to target Windows based systems and servers, and uses a command and control server to tailor attacks and collect stolen data. It is custom-made, and has been used over the past 2-3 months to infect hundreds POS systems. Some of the targeted systems include big-name retailers, hotels, restaurants and even private parking providers.

One of the unknowns is the method of delivery, since many of the affected systems are servers which would typically not be used for web browsing or other common tasks which might result in infection. It is believed that the attackers may have compromised other computers or devices on the same network, then launched an attack on the server from inside the target’s network.

Once installed, Dexter looks for processes that correspond to specific POS systems, and when it finds them, dumps the memory and parses it for credit card (track one and two) information to send to the C&C server. End-to-end encryption, which protects data from the card reader all the way to the payment processor, would prevent the attack from being successful – but adoption of this technology is slow due to the cost of new hardware.

Security integrators should be concerned about the possibility of their hardware being an attractive vector for future attacks. With the proliferation of DVR/NVR systems (and other security equipment) that integrate with POS – or those that simply share the store LAN/WAN – attackers may find these targets irresistible. PC-based video recorders, in particular, would provide a powerful platform from which to probe the network and infect vulnerable systems. See this post for additional thoughts on the subject.

Worst Security Snafus of 2012 Summarized

calendar_empty

No commentary needed for this one. A great summary of the most notorious and newsworthy data security events of the year…

CIO.com  Worst Security Snafus of 2012

 

Mandated Video Surveillance Passes in Pine Bluff, AR

blogThis is an update to the post titled “Mandated Video Surveillance – Let’s Hope Not…

According to the Pine Bluff Commercial newspaper, the Pine Bluff City Council passed a revised version of the ordinance that requires certain businesses to install and maintain video surveillance systems. Though well intentioned, the ordinance appears to have been watered down so thoroughly that it is little more than a suggestion – while requiring taxpayer resources to manage compliance.

Initially, the ordinance called for fines of up to $1,000, but after public and council discussions, the fine was decreased to $25 per violation. Businesses open before Jan. 1, 2013, are exempted – unless they make five or more calls to police regarding criminal activity, in which case compliance becomes compulsory. Prominent signage that a business is being monitored by security cameras is also part of the ordinance.

The Pine Bluff fire department will verify surveillance system functionality during annual inspections, and also perform random checks. If a system is found to be below the standards (which do not seem to be defined/published yet), the case is referred to the police department for verification and enforcement. The only specifics so far about what is required are that a business install “one or more” cameras, and that they may not be left inoperable or deliberately deactivated. Hopefully there will be more detail in the final version of the ordinance. If not, I suppose a single camera in the broom closet of a convenience store would pass inspection…?!

See the report from the local news below:

What’s Inside a $65 DVR?

65usdAs mentioned in a previous post about importing cameras from China, there are some amazingly low-cost recording devices available today. How well do they perform and what can you expect if you decide to order one? In this post, I will share some background and information about one model I brought in to satisfy my own curiosity.

In need of a replacement for my aging GE StoreSafe DVR, I scoured several online resellers in search of a unit that had – at a minimum – D1 recording with H.264 compression, network viewing via a mobile app, and at least four analog inputs. Since the DVR would only be used for a simple home viewing system, my process and criteria were quite a bit different than those used for evaluating commercial products. After identifying several candidates, I settled on this one from AliExpress, due to the large number of positive reviews and the price:features ratio (based on published specs).

The price was an unbelievable $65USD, which included shipping! I placed my order on November 5th, and the unit arrived on December 14th – about average for orders like these.

You can view the most current information online, but here are the specs at the time I ordered:
DVR_Specs

And here are pictures of what I received:

DVR_pkgDVR_box1

DVR_FPanelDVR_RPanel

DVR_Accessories

DVR_internal1

The heatsink appears to be installed at an odd angle in relation to the chip. I don’t see any reason for it – so I’m calling this a manufacturing defect for now. Other than that, the board layout is nice and clean, with no signs of reworking that I can detect.

DVR_PCB

The DVR is supplied without a hard drive. I added a spare 320GB SATA drive I had sitting around, but the unit is spec’d to support up to 2TB. Here is a picture of the system with the drive installed:

DVR_withHDD

So far, so good…

Next came the configuration and software installation. More on that in another post…

Niagara Industrial Controllers Hacked

user_errorFollowing up on my post about industrial controller vulnerabilities, it is now being reported that such hacking has been seen “in the wild” – underscoring the importance of securing these systems as quickly as possible.

From the article: (emphasis added) “Hackers illegally accessed the Internet-connected controls of a New Jersey-based company’s internal heating and air-conditioning system by exploiting a backdoor in a widely used piece of software, according to a recently published memo issued by the FBI.

The backdoor was contained in older versions of the Niagara AX Framework, which is used to remotely control boiler, heating, fire detection, and surveillance systems for the Pentagon, the FBI, the US Attorney’s Office, and the Internal Revenue Service, among many others. The exploit gave hackers using multiple unauthorized US and international IP addresses access to a Graphical User Interface (GUI), which provided a floor plan layout of the office, with control fields and feedback for each office and shop area, according to the memo, which was issued in July. All areas of the office were clearly labeled with employee names or area names.”

The controller was reportedly connected to the internet without a firewall.

FBI Memo: Vulnerabilities in Tridium Niagara Framework Result in Unauthorized Access to a New Jersey Company’s Industrial Control System

 

Curious About Ransomware? Read On…

monitor-lockIt is bad enough to experience a “typical” virus or malware infection on your computer. With luck, you catch it early and scrub the problem with software tools. Worst case, you reformat and reinstall your OS, restoring files from your [always up to date!] backups. “Ransomware,” however, introduces a particularly insidious component that justifies extra caution and preparation…

In short, and as the name implies, this malware variant is intended to hold your files and/or system “hostage” until a fee is paid. This is often done by encrypting personal files on the hard drive. You haven’t lost any data (yet), but without the key, you can not access it. As you might expect, it is common for victims to pay the hacker and never receive instructions for decrypting their files.

An interesting twist on the scheme involves locking the operating system itself, and displaying a screen that accuses the user of a range of crimes, from copyright violations to child pornography. The message claims to be sent from the FBI, and instructs the user to pay a “fine” in order to unlock their machine. Here is a screenshot of one such scam:

ransomware_screenshot

The best defense against ransomware is, of course, a good offense. The use of quality anti-virus and anti-malware tools is a must, and limiting the use of scripting and plug-ins within your browser will also help (check out NoScript for this). Most important is a good backup strategy. Full “offline” backups should be done frequently, with incremental backups to protect the most recent files. These measures will reduce your exposure, but are still no guarantee that you won’t be hacked. Also important is resisting the temptation to pay the hacker for what seems like a “quick fix.” You’ll never be sure that your data will be released, and the thieves could easily leave behind spyware or otherwise target you again – after all, you paid once…

More Information and Resources:

TechWorld: Ransom malware gangs making huge profits, Symantec discovers
Here is the Symantec report referenced in the article above.
New York Times: For PC Virus Victims, Pay or Else
Malwarebytes: Ransomware

Security Hole Could Let Samsung TVs Watch You

SamsungTVIt is without the slightest bit of surprise that I share information about a vulnerability discovered in a line of Samsung’s “Smart TVs” that could potentially allow an attacker to view video from a connected camera over the Internet. Additionally, social media credentials may be compromised, and files like pictures and other media residing on attached storage can be accessed or deleted.

The weakness was discovered by ReVuln, the same group that published information about zero-day holes in SCADA equipment just months ago. Here is a link to an article with more information.

With the proliferation of microphones and cameras in all types of consumer electronics, we have only begun to imagine the impact that vulnerabilities like this could have. From industrial espionage to invasions of privacy in the living room, there is no doubt that these devices will be attractive hacking targets for years to come…

As of today, Samsung does not have an update or patch available to address the issues.

DVR Authentication Bypass Vulnerability

unlockI received an email from a reader of my post on IP camera vulnerabilities who reported that a popular brand of DVR was susceptible to a simple authentication bypass attack. He provided proof of concept code and information about the products affected – including an easy method of locating systems connected to the Internet. After reviewing the information, it does appear that sending a specially crafted request to the device via a browser bypasses the remote access login screen, and results in the DVR serving current images from all connected cameras.

I have inquired about whether the company involved is aware of the problem, and will update this post with specifics once I feel it is appropriate to do so.

UPDATE 12-28-2012: Inquiries to the company whose products appear to be affected, Rifatron, were not acknowledged, so I am posting the manufacturer name for the benefit of those who may have purchased these systems. Note that the units may have been sold under other brand names as well.

Without manufacturer assistance – or a large sample to test – I can not state which specific products/versions are affected. The safest course of action, if you have one of these DVRs exposed on the internet, would be to disconnect it (or move it behind a good firewall) until the manufacturer responds. The hack, which I have chosen not to post, involves a simple URL string, so even a novice can exploit it. Additionally, by searching for the existence of a specific path/file on Google or your favorite search engine, it is possible to identify and differentiate these devices – making it trivially simple to hone in on active units.

Rifatron_DVR

 

Page 3 of 612345...Last »