Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2015
    S M T W T F S
    « Jun    
  • Email Subscription

  • About Us

    Author Archive - David Sancho (Senior Threat Researcher)

    Last July, the US Department of Homeland Security warned of a new kind of criminal attack: “Google dorking“. This refers to asking Google for things they have found via special search operators. Let’s look closely and see what this is.

    Google finds things online using a program that accesses web sites: the Google web crawler, called the Googlebot. When the Googlebot examines the web and finds “secret” data, it adds it to Google’s database just like any other kind of information. If it’s publicly accessible, it must be fine, right?

    Now suppose your company’s HR representative left a spreadsheet with confidential employee data online. Since it’s open for everyone to access, the crawler sees and indexes it. From them on, even though it might have been hard to find before, a simple – or not so simple – Google search will point any attacker to it. Google never stored the actual data (unless it was cached), it just made it easier to find.

    This kind of “attack” has been around for as long as search engines have been around. There are whole books devoted to the subject of “Google dorking”, which is more commonly known as “Google hacking”.  Books have been published about it for years, and even the NSA has a 643-page manual that describes in detail how to use Google’s search operators to find information.

    The warning – as ridiculous as it might seem – has some merit. Yes, finding information that has been carelessly left out in the open is not strictly criminal: at the end of the day, it was out there for Googlebot to find. Google can’t be blamed for finding what has been left public; it’s the job of web admins to know what is and isn’t on their servers wide open for the world to see.

    It’s not just confidential documents that are open to the public, either. As we noted as far back in 2013, industrial control systems could be found via Google searches. Even more worryingly, embedded web servers (such as those used in web cameras) are found online all the time with the Shodan search engine. This latter threat was first documented in 2011, which means that IT administrators have had three years to shut down these servers, but it’s still a problem to this day.

    In short: this problem has been around for a while, but given that it’s still around an official warning from the DHS is a useful reminder to web admins everywhere: perform “Google dorking” against your own servers frequently, looking for things that shouldn’t be there. If you don’t, somebody else will and their intentions might not be so pure. Point well taken, thanks DHS!


    Posted in Targeted Attacks | Comments Off on “Google Dorking” – Waking Up Web Admins Everywhere

    In the second post of this series, we discussed the first two types of attacks involving wearables. We will now proceed to the third type of attack, which can be considered the most damaging of the three.

    High User Risk, Low Feasibility Attacks

    These attacks are considered the most dangerous but these are also considered the least likely to happen. If an attacker manages to successfully compromise the hardware or network protocol of a wearable device, they would have access to the raw data in the ‘IN’ devices but also the ability to display arbitrary content on ‘OUT’ devices.

    These scenarios range from personal data theft to mangling the reality of a camera device. These attacks might affect the wearer adversely and might even stop them from performing their daily routines. These attacks can also have a major impact if these devices are used in a professional setting: a simple Denial-of-Service (DoS) attack could prevent a doctor from operating on a patient or prevent a law enforcement agent from acquiring input data to catch criminals.

    Given that the single, most-used protocol used by these devices is Bluetooth, a quick explanation would be helpful. Bluetooth is a short range wireless protocol similar to Wi-Fi in uses but with a big difference. Whereas Wi-fi has an “access point” philosophy in mind, Bluetooth works like an end-to-end kind of communication. You need to pair two devices in order to make two devices “talk” to each other via Bluetooth. In this pairing process, the devices interchange an encryption key that will serve to establish communication between the two devices. Another difference with Wi-Fi is that Bluetooth tries to minimize radio interference by hopping from one band to another in a pre-established sequence.

    This type of set-up has two main effects on hacking via Bluetooth. One, an attacker needs to acquire the encryption key being used by listening to the paired devices the first time these sync up. Any later than that and the communication will be just noise to the intruder. Two, a DoS attack needs to broadcast noise in a wide range of frequencies in use by the protocol in order for it to have an impact. This is not impossible but such an attack involves a bigger effort than against just any other radio protocol.

    Read the rest of this entry »

    Posted in Internet of Things | Comments Off on The Security Implications of Wearables, Part 3

    In the previous post, we talked about the definition and categories of wearables. We will now focus our attention at possible attacks for such devices.

    The possibility of attacks varies largely, depending on the broad category we are focusing on. The probability of attack will increase depending on where the attack can take place. Conversely, the possibilities of physical damage are much more remote as you go further from the physical device. As the attack moves further away from the device, the focus shifts towards stealing the data.

    Low User Risk, High Feasibility Attacks

    These attacks are the easiest to pull off but they have the most limited application against the user. In this scenario, the attacker compromises the cloud provider and is able to access the data stored there.

    Figure 1. Hackers are accessing the cloud provider to get the data

    Read the rest of this entry »

    Posted in Internet of Things | Comments Off on The Security Implications of Wearables, Part 2

    The Internet of Everything (also known as Internet of Things) has given rise to new gadget categories in every electronics retailer shop. Smart wearables are rapidly becoming more commonplace than you think. While not everyone has Google Glass, you can bet that a lot of people have fitness trackers and even smart watches.

    With ‘wearable devices,’ we mean those pieces of equipment that people can have on themselves as they go about their day. The purpose of these devices is usually measuring bodily functions or serving as output of other devices. These two functions can overlap to provide a more rounded experience of the user’s everyday reality as it happens.

    In this series of posts, we are going to review possible attacks and risks associated with wearable devices. Bear in mind that these are largely theoretical and/or conceptual. They are not current attacks and therefore they may or may not happen depending on how the electronics market evolves and how other attack vectors keep criminals on different juicier targets. Our intent here is not scare users into avoiding this new device category but to encourage vendors to add security in them from the get-go.

    The Three Categories

    There are three very broad categories that we can use to describe what we are talking about.

    1. The ‘IN’ devices. These are sensors that capture a user’s data at all moments. Here, we find fitness sensors that measure the user’s steps, distance, effort, calories, heartbeat, GPS coordinates, etc. These devices usually store the information locally in the device and synchronize with mobile phones or PCs to upload that data and afterwards to the user’s cloud account for historical logging and statistical display. Future devices that we have not yet seen are medical devices that could monitor health parameters, such as body temperature, oxygen in blood, etc.

    2. The ‘OUT’ devices. These are devices that output data coming from other devices, usually mobile phones. Here, we find smartwatches and the like, which are able to display texts and any application data for ease of use. Data displayed usually comes from internet sources by means of the intermediate device.

    3. The ‘IN and OUT’ devices. These are devices that capture data and use filters to display it differently. In here we find display devices such as Google Glass that have cameras that capture reality but they also feed data to the user by means of retina projection. These devices have the ability to enhance the user experience by filling in information on top of reality. Simpler devices also act as ‘IN and OUT’ by both gathering user data (steps, distance, etc.) and streaming data from their companion mobile phone.

    While these are distinct categories, the tendency is for devices to coalesce into IN and OUT because makers want to add as much value as possible. One example would be devices that record fitness information but also notify users of text messages, events, and other information from mobile devices.

    The Security Standpoint

    From a security standpoint, it’s hard to say which category is more secure than the other. This is because the difference among the categories is primarily about attack vectors. The more things a device can do, the most possibilities exist for attackers. In this case, IN and OUT devices have a larger attack surface, and the most potential for attacks.  However, this doesn’t mean that they are more unsecure. Security will depend on the implementation and the “track record” of the device. By track record, we mean the amount of attacks it has withstood over time. For newly introduced devices, cybercriminals may take a longer time to “test” them. However, as devices mature over time and hackers fully understand the inner workings of these devices, the platform isn’t as secure anymore.

    In the next blog posts, we will look at the possible attacks and risks associated with wearable devices. 

    You may read the next entries for “The Security Implications of Wearables:”

    For more information about wearables, you may check out the article “Are You Ready for Wearables?” and the infographic, “The Ins and Outs of Wearable Devices.” For more information about smart devices, you may visit our Internet of Everything hub.

    Posted in Internet of Things | Comments Off on The Security Implications of Wearables, Part 1

    The biggest security headache that consumers face on a regular basis may well be… the password. You need one to do just about anything online nowadays. This makes them very valuable targets of theft – as the news that “1.2 billion” passwords were stolen highlights. Unfortunately, remembering passwords for all the sites that people use every day can be a challenge.

    With that in mind, I was interested when I heard about a paper that discussed how users manage multiple passwords. Unfortunately, this paper from Microsoft and Canadian researchers doesn’t actually provide very good advice, and may in fact promote dangerous practices.

    Let me summarize the paper for those who haven’t read it: they suggest that users are incapable of following both of the key tenets of password security: that passwords must be secure (i.e., not easily found with a dictionary-based search), and that they must not be shared. The researchers suggest that users decide which accounts need to be protected with secure passwords; the other accounts can be protected with ordinary passwords that don’t have to be unique or secure.

    This idea only works if you accept as a fact that the user is incapable of remembering secure passwords. However, that’s why password managers exist. This idea that a user must rely on their unaided memory is simply wrong. The computer – whether it’s a PC, tablet, or smartphone – is an extraordinarily powerful tool. Why not use it?

    Yes, these managers are not perfect. Just last month, another group of researchers found vulnerabilities in several online password managers. However, they’re still a significant improvement over trying to remember passwords by rote memory, and it’s a gigantic improvement over using poor passwords. The perfect should not be the enemy of the good.

    I try to make the advice I give as clear as possible. Whether or not that was their intention, studies like this muddle the water and send the message that bad passwords are okay. It depends on the user discriminating between what needs to be secure and what isn’t. However, many users are likely to trade convenience for security and choose weak passwords instead. It’s human nature to do so. Sadly enough, the users most likely to choose weak passwords are also the ones who are likely to fall victim to various online threats.

    Let’s say, however, that someone really doesn’t want to use a password manager. That doesn’t mean you need to use a bad, recycled password. Consider this procedure:

    1. Choose a simple password you already use. Let’s take “Snoopy2″ as an example.
    2. Create an algorithm in your mind that uses the full domain name of the website you’re protecting. So, for example, it can be: “two first letters, two last letters and the number of letters it has, first letter in uppercase”. “” becomes “Twer7″. It can be any algorithm you want, so long as you remember it.
    3. Choose a number has means something to you. Your birthday, the age at which you met your husband, whatever. Let’s say I use the number “32”.
    4. Put it all together. My password for twitter would be “Twer7snoopy232″. My next password for “” would be “Awum19Snoopy232″. If I ever need to change it, just add one to the last number… or 7. It’s up to you.

    The bottom line is: one day we won’t have to use passwords to log into sites anymore. That day, however, is not today. We’re still stuck with passwords, and we need to provide the best advice to users on how to create good passwords. A mixed message – like the one promoted by these researchers – is unhelpful at best, and wrong-headed at worst.

    Posted in Social | 1 TrackBack »


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice