Tag Archives: hacking

Down The Rabbit Hole And Into The Cloud

With Chrome OS on the horizon, there has been a lot of blogging about whether client computers will become more secure. I would just like to take this opportunity to look at this question from an other, less discussed, angle – the angle that follows the data and not the computer that access the data.

Since Chrome OS is basically nothing more than a web-browser, it has been claimed that the client computers running it will become a lot more secure. I don’t necessarily dispute this claim but I want to highlight the real reason why this will be the case. Certainly, the less points of attack there are (i.e. the smaller the system), the less vulnerabilities there will be to exploit. But more importantly, the reason why Chrome OS based clients will be safer, will be that the data that is usually stored locally on PC’s will be stored somewhere in the Cloud. As such, it will become less appealing for criminals to find exploits to access data on the client computers.

And if the hackers will no longer care about client computers, where will they then be focusing their attention? That is right, to the Cloud. We are entering a whole new era of storing, processing and accessing of data. As such I would not be surprised if we see a whole new genre of exploits emerge – you know like buffer overflows for C or SQL injections for databases or XSS for websites. I’m quite certain that we will see a new generation of exploits emerge that are specific to Cloud solutions. I don’t know enough about Cloud architectures to know what these exploits will look like but I’m sure that the principle will be as basic and simple as the principles are for any of the exploit categories I just mentioned.

After all, if Google is sitting on all this data why on Earth would hackers keep writing exploits for client computers when most of them will contain limited amounts of useful information. Sure, the temptation of viruses that collect passwords and credit card details is still luring, but I think that the more hard-core hackers will follow the data, and if the data goes to Google, that is where the hackers will go. It just seems silly to spend time and energy to come up with remote exploits to gain access to local clients, when you can gain access to ALL the data stored by Google of ALL their users. Sure, it’s not going to be easy but after all, Chrome OS will be a (somewhat) trusted client connecting to the Google infrastructure – what else do you need as a starting point?

Furthermore, any exploits that do more then collect keystrokes or credit card numbers entered into a browser on a local computer will need to use the Google infrastructure to collect the user’s data from the Cloud. For example if a virus wants to get the address book of the victim to spread itself, it needs to get into the Gmail interface. So, it will need to communicate with the Cloud. And once it is communicating with the Cloud, why would it not take the next step and check out what else is stored in the Cloud under the user’s account. And if it is already there, why not try to escalate privileges and try to gain access to other people’s data? And while there, might as well see if there are any corporations storing data somewhere near… do you see?

So, sure, the Chrome OS clients will definitely be more secure then your average PC’s (even the ones with updated operating systems and virus scanners), but that does not necessarily mean that your data will be more safe. It just means that another attack vector has been added – that of the Cloud. More and more hackers will be drawn to try to exploit the Cloud infrastructure to gain access to several users’ data from within the cloud, circumventing any interaction from the user.

Nothing to hide vs. nothing to fear

One of the arguments used to install more and more public surveillance equipment (besides the obvious “it’s for YOUR OWN safety”) is that if you have nothing to hide, you have nothing to fear. And after all, it’s not like the surveillance companies post all their recorded videos online for everyone to behold. No, only a few professional security guards have access to these feeds so that they can intervene if a “situation” arises.

NOT! That is a gross assumption. We think that it is a security guard monitoring the monitors, but do we actually know that for sure? Do we even know if there are any regulations regarding who gets to have access to all these video files and under what conditions? I don’t. We assume that there are licensed professional security personnel watching the screens, but it may very well be that in certain places nobody watches the screens – the images are simply recorded onto a computer (or videotape) and accessed by the police after you’ve been shot to find the guy/gal who shot you. But it may just as well be convicted pedophiles sitting there watching the screens. Think about it, if there are no regulations about who gets to supervise the surveillance footage and the surveillance companies need to save money, why not employ any hobo who is prepared to look at a couple of monitors all day for minimum wage?

But it may just as well be hackers or rapists looking at the video footage. Or… hang on… did he say “hackers”? Yes he did! Several years ago there was a Google hack whereby anyone could search for a specific term and Google would spit out a list of private security cameras installed all over the world accessible to everyone over the internet because the persons installing them did not activate the password features. So you could just click on a link and see the security footage of a parking lot outside a bar in Arkansas or something.

More recently, Kevin Finisterre, a security researcher was tasked to test the security of a city’s infrastructure and managed to hack a police vehicle’s on-board camera and microphone. Well, he didn’t even need to do much hacking, he just followed the instruction manuals of the systems (found on Google) and used the default passwords. He could see and hear the live feeds from cop cars and upload and download videos from the on-board computer (which, btw are admissible as evidence in a court of law).

So if the security of surveillance equipment used by the police are so easily circumvented what makes us think that the surveillance equipment used in taxis, public transportation vehicles, train stations, markets, malls, etc are any more secure?

But let’s leave security out of the equation for a moment. The point is that besides the licensed professionals and perverts I mentioned above, we also have hackers who can watch me do whatever I do in public areas such as: walk, talk, eat, shop, sneeze, yawn, scratch my privates, pick my nose, stare at a woman, stare at a man, kiss my wife, kiss my cousin. I’m quite certain there are others who do lot more embarrassing (maybe even illegal) things in public. With other words, we have a group of peeping-toms who, broadly speaking, are fascinated with “boobies”, who are convinced that all information should be made public, who have no quarrels about publishing a clip of their school-mate going to second base on the school-bus or publishing pictures of people scratching various parts of their bodies. And this group of people, with enough patience and conviction can access surveillance data from just about any public surveillance system in the world (and I haven’t even gotten into organized crime or terrorism)

And you tell me that I have nothing to fear if I have nothing to hide? Please! I will have nothing to fear when the surveillance providers go public with their recruitment and security procedures and their security audits. Then I will feel confident that me scratching my privates will not end up on dunces-scratching-their-asses.com or that my wife’s low-cut top won’t end up on boobwatch.xxx

 

Keep track of those 404 errors

I recently noticed in my sats that a bunch of the 404 errors that were logged were most likely hacking attempts.  So, since I didn’t want to keep going back to logs to figure out who did what, I threw together a little code that can be inserted into any html file that is stored on a host that supports php.  The code provides a warning for the person trying to access a file that does not exist, and it also sends an e-mail to me when such a thing happens.

Continue reading