Security Watch

RFID Viruses Imminent?

Researchers warn of possible RFID viruses, but Russ says phooey. Also: invisible Web sites, search engines and subpoenas, and Ernst & Young loses a laptop full of sensitive info on IBM workers.

• By Russ Cooper
• 04/12/2006

Researchers at Vrije Universiteit in Amsterdam demonstrated a self-replicating virus at a conference in Italy. The demonstration used middleware created by the researchers themselves and tags they had infected with as little as 114 bytes of malware code.

Replication, in this case, would only be possible if the system the RFID delivered its data to also created new RFID tags. Further, it relied upon the malware having some knowledge of the middleware that it was going to deliver its data to.

Be it SQL injection or a buffer overflow, neither are possible if the data being read from the RFID tag is vetted prior to being handled by the middleware.

In an attempt to over-hype their research, the researchers claimed, "You can hide baggage, you can reroute baggage to the wrong place -- all kinds of mischief. That I think is a very, very serious thing that even has national security implications."

Yeah, right. Let us just ignore the fact that I, the criminal, am not the one ensuring my baggage only has malicious RFIDs on it. How do I get my baggage hidden, or routed to the wrong place, if it also has a valid RFID on it placed there by the air carrier? So the malicious tag overflows a buffer in the baggage handling middleware -- depending on the middleware, either it's going to cause the entire system to freeze, or my baggage is going to appear to have multiple tags. Either way, my baggage is going to get kicked out of the system as causing problems so that it can be manually directed.

It's far more likely that RFID middleware is going to be tampered with by portable devices with far more memory than an RFID tag. A laptop mimicking an RFID could do far more damage or disruption and would more likely yield the attacker some desired effect.

Bottom line: If you're writing any sort of RFID middleware, be sure to parse your expected input.

Hacking
Interesting Bluetooth Security Page: This paper provides a good introduction into what Bluetooth is, how it works and considerable coverage of the security aspects. And coming from an anti-virus company, it's unusually hype-free on the malcode aspects.

Human Factors
A speaker at the FOSE 2006 trade show recently described in detail how terrorists could prevent legitimate viewers from seeing their Web content based on the viewer's IP address, browser settings, etc., in an effort to "cloak" themselves from law enforcement.

Well, there's some news! This speaker sells software that allows anyone to be anyone, from anywhere, using whatever browser you choose. So now he's providing detailed instructions to terrorists that he hopes will help promote the use of his software. I'd have to say that's sinking to an all-time low in marketing.

K-Otik, now calling itself FrSIRT in an attempt to leverage the credibility of FIRST, has decided to start selling the exploits they receive.

Anything that limits the spread of exploit code is a good thing, but very little of what K-Otik published was unique to its site anyway. At least it may mean that some wannabe criminals may have to look harder to find a variety of exploit code to choose from for their next attack.

Privacy
Cnet.com recently conducted a survey of the four top search firms to find out what information they stored and whether or not the information had ever been requested in a subpoena. The results were that all could tell you, based on an IP address and/or a cookie, what terms have been searched for. Conversely, all could identify what IP addresses and/or cookies had searched for a specific term. None but Microsoft MSN would comment on whether they had been subpoenaed. MSN was candid and stated they had never been asked for a list of IP addresses and/or cookie values based on a search term, and that they had been asked once to produce a list of search terms searched by a specific IP address and/or cookie (ACLU v. Gonzales).

I'd argue the questions were just wrong. The questions suggested that you could identify a person from an IP address and/or cookie value. While you could certainly infer an identity from such information, proving it is another question. With ISP logs in hand you might identify the address where the computer was located while using a given IP address, and even find the cookie present on the computer, but it's another step to prove that John Doe was actually using the computer at the moment in question.

Imagine what a list of search terms might look like for an average family using the same computer and the same login ID for everyone in the family!

Ernst & Young has lost another laptop containing the Social Security numbers (SSN) and other personal information of its clients' employees. This time, the incident puts thousands of IBM workers at risk. Ex-IBM employees are also affected. The Register has learned that the laptop was stolen from an Ernst & Young employee's car in January. The employee handled some of the tax functions Ernst & Young does for IBM's workers who have been stationed overseas at one time or another during their careers. As a result of the theft, the names, dates of birth, genders, family sizes, SSNs and tax identifiers for IBM employees have been exposed.

Assuming you have the certificate infrastructure to do so, employing the Windows Encrypting File System using both a unique user key and a backup Administrator key will take you off the target of opportunity list. Theft of laptop devices inside the organization is largely seen as targeting the data, not the device. Such criminals are not going to waste time trying to decrypt the EFS. However, it is worth mentioning that most of the forensics tools available these days include a module for cracking the encryption of EFS and its ilk.