Cheap Sensors Can Track People Using Signals From Their Mobile Devices
Home-brewed CreepyDOL, using a network of very cheap sensors can track people by using signals sent from their mobile devices
Most consumers and workers typically know that their mobile devices are sending off data to the Internet, most do not understand the implications of carrying around an always-on connection in their pockets.
A University of Wisconsin at Madison law student and security researcher plans to highlight the privacy and security problems by demonstrating a monitoring system that uses a network of inexpensive sensors to track people using their smartphones and other wireless devices. The system, known as CreepyDOL, uses a network of air-dropped sensors that listen for wireless traffic, allowing the tracking of anyone with a wireless-enabled mobile device.
“The CreepyDOL system takes the fundamental assumption of hiding in the crowd and does away with it,” says Brendan O’Connor, the founder of security consultancy Malice Afterthought and the creator of the system. “Even if you don’t connect, if you are wired on a network, we will find you. If you are a person in a city, we will find you, and we will do it all for very little money.”
While many privacy activists focus on the massive amounts of data collected by Google and other Internet firms, and the widespread collection of metadata by the National Security Agency, CreepyDOL underscores that many of the problems are with fast development of the “Internet of things.”
“This is really going to get out of control, but it’s the future,” says Chris Wysopal, chief technology officer for Veracode, an application-security firm. “Everyone is going to be able to track anyone, unless there are regulations.”
O’Connor put together a “Frankensteinian” collection of technologies to create the sensor platform. He created a disposable sensor platform that can be air-dropped on the rooftops of buildings in the targeted area. Dubbed F-BOMB, the platform costs less than $60 and can last for five days or more on two AA batteries. The sensors connect to each other using a wireless command-and-control protocol, called Reticle, that O’Connor created to connect to open wireless networks and use the Tor anonymizing network to send data and receive commands.
The two technologies scramble communications and also encrypt information about the other nodes in a way that makes forensics analysis difficult. Even if a CreepyDOL node is found, a defender should not be able to gain information about the attacker, O’Connor says.
The system listens for the control signals sent from smartphones that are looking to connect to a wireless network. Any smartphone or tablet with WiFi enabled will occasionally send information about itself and the networks it knows about. In addition, if the phone is connected to an open wireless network, the sensors can listen in. Many mobile applications send enough data in the clear to gain additional information on the user.
Finally, O’Connor used a popular 3-D graphics engine to track the whereabouts and additional information about users. The security researcher created a number of filters to grab data and turn that data into information about the user. The sensors do not send any data, only listening for data sent in the clear, he says.
With the proliferation of mobile devices that broadcast information about the user, systems that try to take advantage of the publicly accessible signals will increasingly be developed, says Wolfgang Kandek, chief technology officer of Qualys, a cloud security firm. The wireless technology embedded in an increasing array of devices — from exercise monitors to bicycle handlebars — will enable the easy monitoring of everyday activities, he says.
“There is going to be an explosion of sensor data driven by these types of devices,” he says.
While people are worried about Google and the NSA, they should be concerned that they are carrying around the equivalent of an easy-to-track sensor system, O’Connor says.
“This isn’t even hard, and it should be hard, and that is pretty disturbing to me,” he says. “People fix vulnerabilities when the kid on the street corner can abuse it. Maybe it’s time to fix this now.”
(Article found here at darkreading.com)
Is It Time to Rethink Security??
That is a question I have been asking myself lately. Why? With mobile devices, BYOD and the cloud I believe it takes a much different approach than 2 or 5 years ago.
Five years ago, you could invest in a good firewall with highly restrictive web filtering, enable controls on how you access internal data and you were relatively secure.
That has changed in today’s world. With the rise of smartphones and applications that operate on these smartphones, it is much more difficult to contain the data inside the four walls of your company. Add to that the rise and effectiveness of certain cloud applications, a new approach is certainly needed.
First and foremost is security education. We need to do a better job of educating our people as they are the first defense for better security. In the past the idea was to put restrictions in place to help prevent users from harming themselves. We need to do a better job of enabling them to detect a threat and avoid it.
We also are going to have to accept that cloud and social media is here to stay. Instead of fighting to prevent access to it, a better approach would be educating what proper social media use is. For Generation Y, it is one of their primary methods of communication. We can either fight it or help better educate on the proper use of Social Media.
Finally, we have the cloud. The cloud has been here for a long time (Over Ten Years), we just did not call it the cloud. Hosted email, Salesforce.com, have been applications that have been in the cloud for a very long time. Over the past 2-5 years, we have seen where you can host almost anything in the cloud. In fact for more startups the cloud offers a low cost approach to gain access to valuable servers and applications. With the cloud, we need to make sure we understand how the data is protected at the cloud provider. Is the data encrypted?? How is access into the physical locations that house the data handled? Are they getting pen-tested to ensure their security is up to speed? Is that data hosted overseas or in a domestic datacenter?
My believe is along with data that is hosted in the cloud is authentication. If the data is very sensitive, you should consider some sort of two-factor authentication. Remember, you have the entire world that has potential access to the data and if someone would accidentally obtain a password, they could have the keys to the kingdom. That is why two-factor authentication becomes very import.
Finally, we need to help educate our business owners about data and network security. With what I call the consummation of IT, we will see less of a need for a large design and infrastructure build out and it will be more a of a managed project on how to get the data to the cloud provider and how to build the reports to get what is needed from that data. We need to make sure security is a part of that project and discussions with potential vendors.
Don’t Use the Same Password for Everything
I have talked about this before, but I will do it again. You should have different passwords for different websites. A website such as Facebook should have a different password from a banking site. Sites such as Amazon and Apple such also have different passwords. Why? Crackers, scammers can use sites such as Facebook and even email to get your password. Once they have it, they will attempt to access additional sites. Also, make sure you are changing your password for your banking sites at least every 90 days.
Fortinet Firewall Reporting
I have been supporting Fortinet firewall’s for over 7 years and the reporting appliance has been average. With the most current 5.0 release, reporting seems to not be very functional at all. I have been looking for a solution and I finally have one. It is called TBJ Shield Fortinet Reporting. I have partnered with a company to provide a cloud based solution for reporting for Fortinet devices. The nice thing is you do not need an appliance onsite and it is very easy to setup. You just point your Fortinet to a location in the cloud. You then get access to a portal that has some really nice built-in reports. And a bonus: you don’t have to have a PhD in Fortinet reporting to use the service!
If you are having Fortinet reporting issues and would like a different approach, contact me at firstname.lastname@example.org or at 262-373-9070.
Gadget of the Month – Samsung Galaxy S4
I finally had the chance to upgrade my smartphone. I pre-ordered a Samsung Galaxy S4 and received it a week early, which was surprising. I am very happy with the Samsung Galaxy S4. It has a very nice screen that is easy to read and bright. It has front and back cameras that take very nice pictures. It can also be a remote control for your TV and it can follow your eyes when reading. Overall I think this is one of the best smartphones that I have ever owned and I recommend it to anyone who is looking for the next generation phone.
We at TBJ are looking to grow our business and we would like to enlist your help in finding clients who might benefit from our services. For any qualified leads that result in a meeting, you will be entered into a quarterly drawing to win an iPad Mini. Our best leads come from referrals and we would like to reward you.
If you know of someone that you network with that could benefit from our services, use the form below or email us at email@example.com
Upcoming Event – Transform Your Datacenter with TBJ Consulting and Juniper Networks
(October 9th, 2013 9:00 am – 11:00 am)
Attend this event to learn how:
Juniper views the existing challenges in the data center with the hope of opportunity amid the gloom of increasing cost and challenges of traditional networks
The data center network can be improved through the use of Virtual Chassis technology
Data center network fabrics will change forever change the way we network servers, storage and security in the data center
Physical network security can scale while incorporating next generation security services
Virtual machine security can provide policy enforcement, compliance reporting and VM introspection on the hypervisor without sacrificing performance
Correct answers will be featured in the TBJ Newsletter.
Final Thought of the Month – Documentation
How is your documentation for your IT department? Recently, I had a client who needed to let an employee go. This employee was supposed to be maintaining and documenting the network and the various functions. In reality, the documentation was lacking.
The first item that should be documented in a secure fashion is passwords. All of the various passwords should be put in a central location (with a program such as password safe) with more than one person having the code to the password safe. This ensures you that you will have the passwords to key systems if you need them.
The second item you should really have is a Visio diagram with the various systems on it. It should have names, IP addresses, Roles and functions on this diagram. This will allow for someone to have a good understanding of what the key systems are and what they are used for.
The third item you should have is how the systems are being backed up. This is a key document and should be reviewed quarterly. You want to make sure you understand what is being backed up and how it is being backed up.
If you have vendors or third-party providers you work with, you should also provide documentation on what those applications are and who the key contacts are.
Having documentation like this in place will help if you ever have a disaster as well as if you lose a key employee and need to have someone come up to speed quickly.
The first air conditioner was designed by Willis Carrier in 1902 to control the humidity in a New York publishing house. It helped ink dry faster and smudge free, as well as keeping the paper from expanding and contracting.
The Eiffel Tower grows about six inches every year. In the summer the metal expands to make the tower grow but in the winter the metal contracts to shrink the tower back down.
The frequency of a cricket’s chirps fluctuates with the temperature. If you count a cricket’s chirps for 15 seconds and add 37, you will have the approximate outdoor temperature (in Fahrenheit).
Before the advent of artificial dyes, the most popular way people put the pink into pink lemonade was by adding a few drops of beet juice.