Online Shopping Tips for a Cyber Crime Free Holiday Season

Just another reminder to shop safely this holiday season. Today the Department of Justice announced that it has seized 150 websites that were peddling counterfeit goods.

“For most, the holidays represent a season of good will and giving, but for these criminals, it’s the season to lure in unsuspecting holiday shoppers,” ICE director John Morton said in a statement about the seizure.”

According to Reuters.com the websites included pumaoutlets.net, myjerseyshop.com,  and uggbootsclearanceoutletstores.com.

Cyber Crime is huge business right now, but here are a few steps you can take to protect yourself:

1. It is usually safest to buy from large well known websites. Always make sure that their website name is spelled correctly. Most browsers will automatically highlight the domain name in the link so you can check this. See picture below:

2. Always make sure that the website is using SSL – secure communications when you get to the actual ordering process. The website should switch to secure HTTPS:// instead of just the regular HTTP://, and will look like this:

3. Do not click on links in e-mails that redirect you to a store. It is a common practice for hackers to create e-mails that look legit that link to a counterfeit or malicious servers. Just go directly to the store, you should be able to find any public sales listed there.

4. Beware of horribly misspelled and un-formatted e-mails supposedly from foundations, or organizations. Most SPAM guards catch these now, but don’t spend time on these, just trash them.

5. If a deal is too good to be true, it just might be! Common sense goes a long way in protecting you from online scams.

6. Use strong passwords on your online accounts. A long combination of upper and lower case letters, numbers and symbols is best.

7. And finally, avoid using bank Visa cards that tie directly to your bank account online if you can. Use gift cards, limited value credit cards, or cards that have one time use virtual numbers or shop safe features. Even standard credit cards can have better safeguards and refund policies than a bank card. When in doubt ask your bank about it’s credit card policies.

Surf safely and have a great Holiday!

Advertisements

Researchers Break Military Chip Encryption Keys using Nvidia Tesla GPUs

German IT Security researchers at Ruhr University have recently released a report documenting the ability to crack strong encryption used in programmable chips. These chips are used in Military and Aerospace embedded systems.

According to Government Computer News, the researchers were able to crack the encryption key and access data on two different model Field Programmable Gate Array (FPGA) chips using an attack called differential power analysis (DPA).

In the attack, power use is monitored during the power up sequence of the chip. As it is powered up, the chip accesses a key used to decrypt the configuration data file and data stream. By analyzing the power used, the team was able to decrypt the key:

“Side-channel analysis attacks follow a divide-and-conquer strategy,” they wrote. “That is, the key is recovered in small pieces.”

The keys were extracted in eight pieces of 32 bits each from the data gathered in a single power up for each chip. They analyzed the power consumption of 50,000 encrypted bitstream blocks for the Virtex 4 and 90,000 blocks for Virtex 5.

According to the report, a set of four nVidia Fermi Tesla C2070 GPU’s analyzing the data could obtain the key from a Virtex 4 device in about 6 hours, and a Virtex 5 device in about 9 hours.

But what could an attacker do if they obtained the key? An attacker could possibly reverse engineer the bitstream, modify the device configuration or implant a hardware trojan.

Defenses against this type of attack exist, but according to the research some new chips do not use the defense technology and some existing chips may also be vulnerable. Though at this time no known attacks using DPA exist,  that doesn’t mean that some nation states have not thought about using it in an attack. Paul Kocher, a developer of DPA and president of Cryptography Research, had this to say:

“If China gets a piece of military equipment and breaks the key in an FPGA, they wouldn’t talk about it, but if [the researchers] can do it, the presumption is that anyone else who wants to could.”

Counterfeit network gear intended for the US military has already been recovered by FBI agents. It is not a long stretch to think that FPGA chips could also be a target of foreign nations.

* Update – “Cracks in encryption security for embedded chips not fatal, company says” – GCN

USB Attack Vectors move Beyond Flash Drives to Malicious USB Devices

You have all heard about the dangers that USB drives can pose. In 2008, the US Military suspended the use of USB drives after a large worm attack hit military systems. Iran’s Nuclear power plant was hit with Stuxnet, supposedly from a USB drive. And following the recent Wikileaks disaster, the military is banning all removable devices from systems connected to SPIRNET, the government’s secret network:

Maj. Gen. Richard Webber, commander of Air Force Network Operations, issued the Dec. 3 “Cyber Control Order” — obtained by Danger Room — which directs airmen to “immediately cease use of removable media on all systems, servers, and stand alone machines residing on SIPRNET,” the Defense Department’s secret network. Similar directives have gone out to the military’s other branches.

So no more CD’s, DVD’s or thumb drives will be allowed near these machines.

Then there is always the threat of malicious hardware. For years the government has been worried about counterfeit electronic hardware mainly from Chinese manufactures that have built in backdoors. Earlier this year millions of dollars of counterfeit Cisco equipment was confiscated that was to be sold to Marines in Iraq:

Ashoor purchased counterfeit Cisco Gigabit Interface Converters (GBICs) from an online vendor in China with the intention of selling them to the U.S. Department of Defense for use by Marine Corps personnel operating in Iraq, the DOJ said. The computer network for which the GBICs were intended is used by the Marine Corps to transmit troop movements, relay intelligence and maintain security for a military base west of Fallujah, Iraq, the DOJ said.

So security experts have been on the lookout for USB drives and even counterfeit routers, but what about an innocent looking USB keyboard, or mouse? How much attention would that garner?

Adrian Crenshaw (Security Specialist and Speaker) has shown from his recent work with the Arduino “Teensy” programmable keystroke device that almost any USB device, including keyboards, mice, and the innocent desktop toy could be used as an attack vector. Adrian (also known as “Irongeek”) created the tool for professional security pen testers, but it has really shown how USB attacks can and will move way beyond “Autorun.inf” infectors.

The Teensy programmable keystroke device is made from PJRC’s Teensy USB Development Board.

The computer does not see the Teensy device as a USB drive or another accessory, but as a human interface device (a keyboard). The Teensy circuit board can be inserted inside a keyboard or mouse and can be set to activate when a certain key is pressed or a certain condition is met. So, for example, if the “Scroll Lock” or “Caps Lock” key is pressed, the teensy could send the commands to copy all the data from a certain directory. The Teensy can also be set to activate via timer or whatever the pentester desires. And antivirus would not detect it as it would seem to be just standard keyboard input.

Also, the inside of the mouse or keyboard leaves amble room for the miniature teensy and whatever else the pentester may want to use. Inside a standard mouse case, Adrian was able to insert a Teensy device, a USB hub and flash memory. With this type of setup, he could have the teensy device issue commands to run a script from the flash drive or even copy data from the system to flash storage. (View Adrian’s video on YouTube)

I believe that with the Teensy programmable keystroke device, we are really looking at a new generation of intelligent malicious hardware that will be limited only by the imagination of the attacker.