RFID Viruses Imminent?
Researchers warn of possible RFID viruses, but Russ says phooey. Also: invisible Web sites, search engines and subpoenas, and Ernst & Young loses a laptop full of sensitive info on IBM workers.
A recent study shows proof that RFID
tags are vulnerable to viruses and
says that attacks could soon come in the form of a SQL injection or a buffer
Researchers at Vrije Universiteit in Amsterdam demonstrated a self-replicating
virus at a conference in Italy. The demonstration used middleware created by
the researchers themselves and tags they had infected with as little as 114
bytes of malware code.
Replication, in this case, would only be possible if the system the RFID delivered
its data to also created new RFID tags. Further, it relied upon the malware
having some knowledge of the middleware that it was going to deliver its data
Be it SQL injection or a buffer overflow, neither are possible if the data
being read from the RFID tag is vetted prior to being handled by the middleware.
In an attempt to over-hype their research, the researchers claimed, "You
can hide baggage, you can reroute baggage to the wrong place -- all kinds of
mischief. That I think is a very, very serious thing that even has national
Yeah, right. Let us just ignore the fact that I, the criminal, am not the one
ensuring my baggage only has malicious RFIDs on it. How do I get my baggage
hidden, or routed to the wrong place, if it also has a valid RFID on it placed
there by the air carrier? So the malicious tag overflows a buffer in the baggage
handling middleware -- depending on the middleware, either it's going to cause
the entire system to freeze, or my baggage is going to appear to have multiple
tags. Either way, my baggage is going to get kicked out of the system as causing
problems so that it can be manually directed.
It's far more likely that RFID middleware is going to be tampered with
by portable devices with far more memory than an RFID tag. A laptop mimicking
an RFID could do far more damage or disruption and would more likely yield the
attacker some desired effect.
Bottom line: If you're writing any sort of RFID middleware, be sure to
parse your expected input.
Interesting Bluetooth Security Page: This paper
provides a good introduction into what Bluetooth is, how it works and considerable
coverage of the security aspects. And coming from an anti-virus company, it's
unusually hype-free on the malcode aspects.
A speaker at the FOSE 2006 trade show recently described in detail how
terrorists could prevent legitimate viewers from seeing their Web content based
on the viewer's IP address, browser settings, etc., in an effort to "cloak"
themselves from law enforcement.
Well, there's some news! This speaker sells software that allows anyone
to be anyone, from anywhere, using whatever browser you choose. So now he's
providing detailed instructions to terrorists that he hopes will help promote
the use of his software. I'd have to say that's sinking to an all-time
low in marketing.
K-Otik, now calling itself FrSIRT in an attempt to leverage
the credibility of FIRST, has decided to start selling the exploits they receive.
Anything that limits the spread of exploit code is a good thing, but very little
of what K-Otik published was unique to its site anyway. At least it may mean
that some wannabe criminals may have to look harder to find a variety of exploit
code to choose from for their next attack.
Cnet.com recently conducted a survey of the four top search
firms to find out what information they stored and whether or not the information
had ever been requested in a subpoena. The results were that all could tell
you, based on an IP address and/or a cookie, what terms have been searched for.
Conversely, all could identify what IP addresses and/or cookies had searched
for a specific term. None but Microsoft MSN would comment on whether they had
been subpoenaed. MSN was candid and stated they had never been asked for a list
of IP addresses and/or cookie values based on a search term, and that they had
been asked once to produce a list of search terms searched by a specific IP
address and/or cookie (ACLU v. Gonzales).
I'd argue the questions were just wrong. The questions suggested that
you could identify a person from an IP address and/or cookie value. While you
could certainly infer an identity from such information, proving it is another
question. With ISP logs in hand you might identify the address where the computer
was located while using a given IP address, and even find the cookie present
on the computer, but it's another step to prove that John Doe was actually using
the computer at the moment in question.
Imagine what a list of search terms might look like for an average family using
the same computer and the same login ID for everyone in the family!
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
Ernst & Young has lost another laptop containing the Social Security
numbers (SSN) and other personal information of its clients' employees. This
time, the incident puts thousands of IBM workers at risk. Ex-IBM employees are
also affected. The Register has learned that the laptop was stolen from an Ernst
& Young employee's car in January. The employee handled some of the tax
functions Ernst & Young does for IBM's workers who have been stationed overseas
at one time or another during their careers. As a result of the theft, the names,
dates of birth, genders, family sizes, SSNs and tax identifiers for IBM employees
have been exposed.
Assuming you have the certificate infrastructure to do so, employing the Windows
Encrypting File System using both a unique user key and a backup Administrator
key will take you off the target of opportunity list. Theft of laptop devices
inside the organization is largely seen as targeting the data, not the device.
Such criminals are not going to waste time trying to decrypt the EFS. However,
it is worth mentioning that most of the forensics tools available these days
include a module for cracking the encryption of EFS and its ilk.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.