I decided that it might be interesting to categorize a few of the Security Faux Pas of 1012 by thinking about what the victim might have said just after security exploit that got them. I hope it prevents you from being a victim too.
Faux Pas Number 1
“I never knew what that little symbol on my credit card meant.” Heard being said after a person had lots of strange charges on his credit card. The credit card had been compromised when somebody bumped into the person in an airport waiting area and grabbed their credit card data using the embedded RFI device on the card. Check your credit cards if you have a one of the following your card has RFID:
- If your card is a Visa, do you see the contactless® logo on it?
- If your card is a MasterCard, do you see the PayPass® logo in it?
- Do you have an American Express Blue®, Blue Cash®, Blue Sky®, Clear®, or Starwood Preferred Guest® card?
If you do have one or more of these, it means that unless you have a wallet or card holder that is shielded, your card information can be read by a portable RFID card reader by someone else in your proximity and your information can be stolen. See “Newer Cards Can Be Hijacked”.
Faux Pas Number 2
“Where is my Car, I know exactly where I parked it, but it is gone.” This was heard from luxury car owner with a keyless entry and start button whose car was stolen at an event they were attending. These keyless devices have absolutely no security built into them. They work by proximity between the keyless device and your car. Hackers are using two transponders to compromise these.
For example, you are in a conference. Attacker #1 is also in the conference and takes a portable transponder of their own making into the auditorium. His partner attacker #2 has a similar transponder in the parking lot. Attacker #1 walks around the auditorium looking for keyless entry devices that response to his transponder. When he finds one, he calls his partner by cell phone and tells him to start walking around the outside parking lot looking for expensive cars with keyless entry. Attacker #1 re-transmits the keyless entry signal to attacker #2 who in turn transmits it as he walking around until finds a car that responds. Now that car blinks it lights to let attacker #2 where it is and it is unlocked. He gets in the car still transmitting the signal, starts it and drives off.
The car allows driving off even when the range between the two attackers is beyond the signal transmission range because all these cars will continue to run once started in case someone has a child throw the key out of the car while it is being driven, or if the battery were to die on the keyless device while it is being driven. All of the above are done for safety of the driver, bye-bye car. See“Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars”.
Faux Pas Number 3
“But I thought that email and the joke link were from you”. Spoken to a supplier friend whose email list had been compromised by an attacker and after the receiver had had his computer hit by malware which affected his entire company network. This was a targeted phishing attack. The attacker targeted one company and several of its suppliers. The attacker first used another mechanism, perhaps a thumb drive with the company logo dropped in the parking lot to start the attack. One of the supplier company employees picks up the thumb drive and plugs it into his computer to see who it belongs to and what might be on it. His computer is immediately infected and the attacker steals the supplier’s email contact list. This is done because several of his real target company employee’s are on the email contact list. The attacker then sends an email that looks like it came from the supplier to the target employee with a link to a joke on it. The targeted employee clicks the link. He computer is now compromised and infested with malware which proceeds to infect the entire company network by again stealing email lists and continuing to send email to people until they get to the people or asset that they want. See“What is Spear Phishing?”
Ah! So you clicked on the links I provided – how do you know they are safe? – Just kidding .