Computerworld -
Criminal hackers never sleep, it seems. Just when you think you've
battened down the hatches and fully safeguarded yourself or your
business from electronic security risks, along comes a new exploit to
keep you up at night. It might be an SMS text message with a malevolent
payload or an errant signal designed to jam GPS receivers.
Whether you're protecting corporate data or simply trying to keep your
personal files safe, these threats -- some rapidly growing, others still
emerging -- put your systems at risk. Fortunately, security procedures
and tools are available to help you win the fight.
1. Text-message malware
While smartphone viruses are still fairly rare, text-message attacks
are becoming more common, according to Rodney Joffe, senior vice
president and senior technologist at mobile messaging company Neustar
and director of the
Conficker Working Group,
a coalition of security researchers that came together to fight the
malware known as Conficker. PCs are fairly well protected today, he
says, so some black-hat hackers are now targeting mobile devices. Their
incentive is mostly financial: Text messaging provides a way to break
into devices and make money.
Khoi Nguyen, group product manager for mobile security at Symantec, confirmed that text-message attacks aimed at smartphone
operating systems are commonplace now that people are increasingly
reliant on mobile devices. It's not just consumers who are at risk, he
adds. Any employee who falls for a text-message ruse using a company
smartphone can jeopardize the business's network and data and possibly
cause a compliance violation.
"This is a similar type of attack
as [is used on] a computer -- an SMS or MMS message that includes an
attachment, disguised as a funny or sexy picture, which asks the user to
open it," Nguyen explains. "Once they download the picture, it will
install malware on the device. Once loaded, it would acquire access
privileges, and it spreads through contacts on the phone, [who] would
then get a message from that user."
In this way, says Joffe,
hackers create botnets for sending text-message spam with links to a
product the hacker is selling, usually charging you per message. In some
cases, he adds, the malware even starts buying ring tones that are
charged on your wireless bill, lining the pockets of the hacker selling
the ring tones.
Wireless carriers say they do try to stave off
the attacks. For instance, Verizon spokeswoman Brenda Raney says the
company scans for known malware attacks, isolates them on the cellular
network, and even works with federal crime units to block them.
To keep such malware off users' phones, Joffe recommends that businesses
institute strict corporate policies limiting whom employees can text
using company networks and phones, and what kind of work can be done via
text messaging. Another option is a policy that prohibits text
messaging entirely, at least until the industry figures out how to deal
with the threats
2. Hacking into smart grids
A common misconception is that
only open networks -- say, corporate wireless LANs that visitors may use
-- are hackable. Not true, says Justin Morehouse, a principal
consultant at Stratum Security who spoke about network security
at last year's DefCon hacker convention. Morehouse says it's actually
not that difficult to find an access point for a so-called closed
system.
Some nuclear plants and power grids have wireless
networks that are vulnerable to attack. And supervisory control and data
acquisition (SCADA) systems aren't safe either.
For example, the Stuxnet worm
last year infected tens of thousands of Windows PCs running Siemens
SCADA systems in manufacturing and utility companies, most notably in
Iran. It was largely spread via infected USB flash drives.
"Stuxnet proved that it is relatively simple to cause potentially
catastrophic damage" to an industrial control network, says Neustar's
Joffe.
According to Morehouse, another new attack point will be
smart grids that use electronic metering to streamline power management.
Utility companies around the world have begun testing and rolling out
smart grids to homes and businesses. The technology, which can send data
to and receive it from a central system, can also be very helpful for
IT: You can open a console to see the power usage for one section of a
building, for example.
But smart grids might be vulnerable to attacks
that would allow nefarious hackers to cut off electricity at homes and
businesses and wreak other kinds of havoc. One possible attack vector is
a smart grid's communications infrastructure. For example, Morehouse
says, a German utility company called Yello Strom uses a consumer smart
grid system that works like a home automation kit -- the sensors report
energy usage back to the central server via the user's home Wi-Fi
network.
The most effective preventive measure, says Morehouse,
is rigid isolation -- a smart grid should not touch any other network.
Given the dangers that can arise if a hacker gains access to a smart
grid, he says, companies should conduct penetration tests and make sure
that firewalls in closed networks are secure. He advises using tools
such as Core Impact and Metasploit.
3. Social network account spoofing
Users of Facebook,
LinkedIn and other social networks are vulnerable to attacks that rely
on account spoofing. A scammer poses as either someone you know or a
friend of a friend, in order to fool you into revealing personal
information. He then uses that information to gain access to your other
accounts and eventually steal your identity.
In a typical
exploit, says Joffe, someone contacts you on a site like Facebook or
LinkedIn, pretending to be a friend of a friend or a co-worker of
someone you trust. Then, this new "friend" contacts you directly through
text message or email. The correspondence seems legitimate because you
believe he has a connection with an individual you trust.
In another scenario, a scammer might impersonate someone you already
know -- claiming to be an old friend from high school, for instance.
Spoofers can find out your connections by following your public feeds or
looking up the names of co-workers on sites like LinkedIn, where you've
posted your work information.
Once the scammer has established a
connection with you, he uses devious means to steal personal data, such
as chatting online to find out the names of your family members,
favorite bands, hobbies and other seemingly innocuous information. Then
he uses that information to try to guess your passwords or answers to
security questions for banking sites, webmail accounts or other online
services.
Morehouse describes another type of attack that
targets companies as well as individuals. The spoofer might set up a
Facebook page that claims to be the official company page for, say, a
major retailer. The spoofer might claim that the page is a formal method
to contact the company or register complaints.
The page might
offer fake coupons to entice people to join, and it soon goes viral as
people share it with their friends. Once hundreds or thousands of users
have joined the page, says Morehouse, the owner tricks them into giving
out personal information, perhaps by signing up for additional coupons
or special offers.
This ends up being a double attack: Consumers
are harmed because their personal data is compromised, and the company
is harmed because its customers now associate the fake Facebook page
with the real company -- and decide not to buy from that company
anymore.
Joffe says there is no way to prevent a criminal from
setting up a fake Facebook page, but companies can use monitoring tools
such as Social Mention to see how the company name is being used online.
If an unauthorized page turns up, companies can ask the social network
to remove the fake listing.
4. GPS jamming: Threat or nuisance?
An emerging criminal tactic -- interfering with GPS signals -- has
security experts divided on just how harmful it could become.
Jamming a GPS signal at the source is next to impossible, says Phil
Lieberman, founder of enterprise security vendor Lieberman Software.
Blocking the radio signals that are broadcast from orbiting GPS
satellites would require a massive countertransmission. And because the
satellites are operated by the U.S. military, jamming them would be
considered an act of war and a federal crime, says Lieberman.
However, it is easy to jam GPS receivers using low-cost jamming devices like
one sold by Brando.
The devices jam a receiver by overloading it with a signal that's
similar to the real GPS signal. The receiver then becomes confused
because it can't find a steady satellite transmission.
Lieberman doesn't give much credence to fears about jammers
disrupting airplanes or air traffic control systems, because those
networks use a completely different GPS signal from the one we use in
cars and handheld devices. Jamming could, however, be a potentially
dangerous issue when it comes to financial records, he says, because GPS
devices are used in the banking industry to add time stamps to
financial transactions. Although completely blocking transactions would
be difficult, Lieberman says, an industrious hacker could theoretically
disrupt transactions and cause headaches for banks.
Security
expert Roger Johnston, a systems engineer at the Argonne National
Laboratory in Chicago, says spoofing GPS signals is the greater danger,
explaining that GPS receivers are low-power devices that latch on to any
strong signal. He says spoofing could be used for serious crimes --
tricking a delivery truck driver into turning down a dark alley,
changing the time stamps on financial transactions, delaying emergency
vehicles from finding their routes. There have been no reported cases of
GPS spoofing to commit a criminal act, but Johnston warns that the
government and businesses should work to deter such attacks.
Taking some extra precautions -- using strong encryption technology,
engaging only with trusted friends on social networks, and using
penetration testing software on corporate networks -- can alleviate some
fears and help you sleep at night, even if the bad guys keep coming up
with new exploits.
Brandon is a former IT manager at a
Fortune 100 company who now writes about technology. He's written more
than 2,500 articles in the past 10 years. Follow his tweets at @jmbrandonbb.
This version of this story was originally published in Computerworld
's print edition. It was adapted from an article that appeared earlier on Computerworld.com.
