Data Leaks Reviewed
Often single incidents don’t attract much attention, but the combination does. We’re getting used to lost laptops, USB sticks, CDs/DVDs/HDs and gadgets containing data. There’s even a project trying to keep track of data loss incidents world-wide, it’s called DataLossDB. Compromised web sites are also quite common. Only figures raise eyebrows, so this week’s favourite news item is Sony and the PS3 network. Someone created unauthorised backups of database tables containing (encrypted) credit card information, user names, passwords, birth dates and home addresses of PlayStation Network users. We still don’t know the nature of the security breach, however the impact is substantial both in terms of number of stolen records and very probably financial damage. There’s been not much talk about the passwords and their data format, but we all know that few people use different passwords for different accounts. The chances are good to see some more compromised accounts in the wake of this breach once the stolen data is used. Next in line is a data breach at the United Nations Educational, Scientific and Cultural Organization (UNESCO). An on-line article of the German newspaper Der Spiegel reports that applications documents of diplomats, scientists and employees were put publicly accessible for the past years. Again the details will emerge in the future, again the impact is substantial.
Let’s change the angle of perspective: location data tied to personalised gadgets or embedded devices. You’ve heard of the SQLite file on various iPhones and iPads, storing location data updates back to 2010. There’s been a big uproar, legal steps are anticipated. While the database contents are not extremely accurate, there’s another fact worth knowing. The »newly discovered« consolidated.db file was know to forensic experts long ago. It is documented in the book »iOS Forensic Analysis«. There should be no surprise. Location-based services require that the devices or the software using/offering them need to know the location. Once this data is stored, you or the manufacture (or whoever) needs to protect it. Alex Levinson describes in three steps in his blog how to do this. That’s one of the aspects of mobile security we talked about in past DeepSec conferences, and we love to hear more about it (especially if the security measures have flaws, of course).
Where’s the combination? Well, let’s use the data gained from the PS3 network breach and the UNESCO web site and couple it with mobile devices. Be creative. Where do phone numbers point to? Once you can call a mobile device, you can try more tricks. The SMS-o-Death talk of 27C3 springs to my mind. Give your stolen goods a call and see if you can get a better price by throwing more attacks at it.
Another way to look at GPS-provided location data is through the eyes of Don Bailey. He took a hard look at personal GPS devices that track the whereabouts of your children, car, pet, or shipment. The security of these devices is often very weak or non-existent. Bailey was able to »to find, target, and impersonate the user or equipment rigged with these consumer-focused devices«. He also used SMS as a lever. To quote from the article: »…Bailey was able to discover the tracking devices, profile them, using what he calls “war texting,” to intercept their location. Zoombak uses a Web 2.0 interface that provides a map showing the GPS-equipped person or payload’s physical location. The devices receive commands via SMS text messages.« Seen devices with a SMS command interface lately? We have, so has Don Bailey, and so will attackers.
Why do we tell you all of this? Well, try to creatively combine weaknesses. We’d be happy to hear about your thoughts in our Call for Papers! 😉