As a computer consultant I find this quite disturbing.
Researcher: Half a million database servers have no firewall
Reply
Tag Archives: Security
Denial of Service attacks with a new twist?
BBC recently gave us a nice little story about electronic car keys. Bruce Schneier has covered the story as well. The gist of the story is that a lot of people had trouble opening and starting their cars in one particular parking lot. People started checking different causes for this and long suspected a rouge wireless broadband unit or something like that. It finally turned out to be another car, belonging to a commuter, with the same lock system that was sending out signals, and thus blocking the signals for all the other users.
This tells me two things.
- It is possible to block the usage of electronic keys by jamming the frequency range
- It seems that the frequency range for wlan and for car-keys are pretty close and maybe even the same.
If they use the same bandwidth I suspect that we will see a lot of young boys with laptops blocking frequencies in a car park near you, soon.
It seems that the car industry has avoided the attention of hackers so far. Or just touched the borders of them. One of the comments from Bruce Schneier’s blog put it quite well.
"I had an interesting "debugging" session a few years ago when my car battery went flat if the car was parked outside my house for more than 36 hours. Anywhere else, no problem. It turned out my new weather station transmitted on the same frequency as the keys and kept the computer awake!!
There’s lots of other car-related problems: when Land Rover first introduced the latest shape Range Rover, the tyre pressure monitoring system got confused if another identical vehicle passed you in the street.
I’ve also heard of a radio signal based fuel level monitor. Combined with an engine management system that would stop the engine before you run out of fuel to prevent expensive catalyst damage, that suggests some interesting car-jacking opportunities.
Press the remote key on someone’s 1999 Range Rover 100 times and they won’t be able to open the car.
Renault Megane’s can be unlocked and started with a MiFare 4k card – trivially clonable if you look at rfidiot.org.
The car industry hasn’t begun to feel the pain of poor security yet.
Andy Cunningham"
Fingerprints as identification
Bruce Schneier had a blog entry about the security of partial fingerprints yesterday. His main point is that there has been a ruling in an US court recently that partial fingerprints cannot be used in a murder case. He links among else to the news-article (update: link removed, not longer available) describing this ruling.
Now this seems to me to be an effect due to sampling frequency. Research has shown that the fingerprints of two different individuals are different. The problem is that law agencies don’t seem to check the whole fingerprint. They check only a few different spots of the fingerprint. In other words they have a sampling frequency algorithm when they enumerate a fingerprint. Now, I am no expert on fingerprints, but I do know the weaknesses of a sampling frequency. If it is too loose you might get wrong data. To different objects can be identified with the same sampled key. (You might call it the same hashing key if you like.)
The article references among else two other cases where the fingerprint have been wrongly identified, and the judge “criticized the common method of fingerprint as overly subjective and lacking in standards”. Now the reason I am blogging about this is that we are now seeing the utilizing of fingerprint readers in a lot of devices. From laptops to airline check-in points.
As everybody that has seen the Mythbusters episode where they are trying to hack fingerprint readers know, such technology is not 100% secure. They only have to be secure enough. I have been alerted to wrongly identified airline passengers due to electronic fingerprint readers (in Norway). I would like to know if this was caused by software or hardware malfunction, or if the product did not use a “sampling frequency” capable of handling enough different passengers.
Anyway, we have to be aware of the weaknesses of a technology we are using and if there are problems we have to address them accordingly.
Link to entry on Digg
Posted from Oslo, Oslo, Norway.
Cracking the system – the “new” way
Any web-developer that has been working with a form on the Internet can tell you that to sanitize your input fields is a must, and of course it does not only apply to web applications. But I do admit that this little cartoon I read a little way back sums it up pretty marvelously.
This cartoon is available at xkcd.com and the site is highly recommended (if you are technically inclined).