Hacking 911 systems: an update

Posted on by
Reply

It isn’t often that there is a very short trajectory from an academic research paper to reality, but when it comes to hacking the 911 emergency phone network this is indeed the case. The paper was written earlier this year and first given to the Department of Homeland Security before being published online this fall.

The researchers from Ben Gurion University in Israel describe how an attacker could knock a 911 service offline by launching a distributed denial of service (DDoS) attack using a collection of just 6000 smartphones. While that is a lot of phones to gather in one place, it is a relatively small number when this is compared to computer-based attacks. And you don’t really need to gather them together physically: you can infect these phones with some malware and control them all remotely.

Like other DDoS attacks, phones (rather than computers) make repeated calls to 911, thereby blocking the system from getting legit emergency calls. It is a chilling concept, because unlike other DDoS attacks, the hackers aren’t just bringing down a website with large bursts of traffic: they could prevent someone from getting life-saving assistance.

In the paper, the researchers simulated a cellular network modeled after the 911 network in North Carolina and then showed how attackers could exploit it.

Now 911 attacks aren’t new: indeed, the DHS issued this alert three years ago and mentioned that more than 600 such attacks have been observed over the years. What is new is how easily the attacks could be launched, with just a few thousand phones and some malware to make it all work. Also, these previous attacks were launched against the administrative phone numbers of the alternate 911 call center, not to the actual 911 emergency lines themselves. If you are interested in how the 911 center operates, I posted a piece many years ago about this here.

There are other stories about hospitals and other businesses that have had their phone systems flooded with calls, blocking any business calls from being connected. And where there is fire, there is at least one security vendor to put it out or protect an enterprise network from being exploited by telephone-based DDoS attacks.

The problem is in the design of the 911 call centers. These centers have no built-in way of blacklisting or blocking callers: they want to be able to answer any call from anyone who has an emergency. Therefore, in the face of a large attack, they would have no choice but to answer each and every call. But let’s say we could implement such a service: that would prevent an unintentional owner of an infected and blacklisted phone from making a legitimate emergency call.

Well, that was the theory behind the paper. It didn’t take long before someone actually did it “in the wild,” as they say when an actual attack has been observed. Last month a teen was arrested for allegedly doing such an attack and is facing three felony counts. The teen, Meetkumar Hiteshbhai Desai, discovered an iOS vulnerability that was used for launching the attack and flooding a call center in Arizona. Now his phone supposedly was the only one used and it made just 100 calls in a matter of minutes. But that was enough to get the cops on his case.

It is distressing to be sure. But whether these attacks are done by script kiddies or by professional criminals, certainly the opportunity is there and very real indeed.

Why runtime application self-protection is critical for next gen security

Posted on by
Reply

raspToday most of us go about implementing security from the outside in. The common practice to define and then defend a perimeter isn’t viable any longer. With the added complexities of more mobile endpoints, agile development and more sophisticated malware, better protective methods are needed.

In this white paper I wrote for VASCO , I describe a method that is gaining traction by defending the actual apps themselves using runtime self-protection. RASP, as it is called, comes from a Gartner 2012 report, but is catching on with several vendors, including Arxan Technologies, HPE App Defender, Immun.io, Lookout App Security/Bluebox, Prevoty, Vasco Digipass for Apps, Veracode and Waratek.

RASP can be a solid defense and a way to isolate and neutralize a potential threat, so you can operate your business safely in these uncertain environments.

 

The future of St. Louis can be found here

Posted on by
1

ranken-titleI am almost embarrassed to admit that I have lived in the Central West End neighborhood of St. Louis and never even known about one of the most vibrant college campuses around. I refer to Ranken Technical College, a school that sits just a mile or so from my home and has been operating for more than a century.

We used to refer to these sorts of places as vocational schools, as if they were less than a “real” college. But the tide of perception has turned. As I found out with my tour around campus from the schools’ president Stan Shoun, this is the real future of our city.

The private, non-profit school has more than a dozen different degree programs, spanning things like auto repair, architecture, carpentry, HVAC technology, IT, plumbing, and control systems. Each graduate gets on average five different job offers, and that is where you start to see the difference. Almost everyone is gainfully employed within six months, most getting paid more than $30k a year. The last job fair Ranken held had close to 400 companies recruiting their students, the largest such job fair in the state. That is the kind of college that I would want to go to!

While the school has sat in the same place for more than a century, it is no ivory tower. It is strictly a hands-on place, with the latest equipment for the students to get trained on. Students spent three hours in labs or in the various machine shops for every hour in the classroom.

auto-shopCar companies routinely drop off their latest models for the students to tear apart and put back together. Shoun makes a point of having his own personal car from whatever they have finished working on: his last car took 18 months to get street-legal again, after being totaled in an accident. The auto shop programs are the school’s largest: consider this was “new technology” back 100 years ago. One class works on tuning high-performance engines, as you can see in this photo.

img_2349The IT class that I visited was a set of students that had taken their Cisco CCNA exams, which all but one had passed. There were other computer labs scattered around the 23-acre campus, some being used for classes teaching computer-controlled equipment such as you see here for this metalworking rig.

They also learn on these custom workbenches that are built fcustom-workbenchor them: I have no idea what their purpose is, but it sure is impressive.  To top it all off, over the years students have built more than 60 single-family homes that ring the campus. That is probably more new construction than anyplace else nearby of that type. The campus is also growing: Shoun intends to increase the student body over time, as demand for these kinds of skills continues to rise. And he is opening new campuses too: Ranken has expanded to the western St. Louis suburbs to be a nearby GM plant, and another campus is opening about two hours south of the city near another auto parts facility.

And to help keep tuition reasonable, Shoun also is acting CEO on more than a dozen different “microventures,” run by the students. These are real operating businesses that dovetail with the school’s programs: the students get real-world experience so when they graduate they already have some solid skills and abilities. That is really smart, not to mention effective.

Given that many of these kinds of technical jobs are unfilled, Ranken clearly serves a need. I am glad that I stumbled across the place and got to see it first hand. If you would like a tour, I can set you up. You will see the future of St. Louis quite clearly as you walk around their campus.

FIR B2B podcast: do’s and don’ts of marketing research

Posted on by
1

Grant Gross’ excellent story in CIO.com goes into more detail about why you can’t pin the exit polling failures of last week’s general election on big data. Paul and I use these failures as a starting point to discuss the lack of quality in survey research, particularly in the B2B tech marketing space. Both of us have been the recipients of lousy survey “results,” or more accurately, wishful thinking on the part of marketing and PR people. So save everyone’s energies: don’t produce these 200-person SurveyMonkey polls that have no real meaning. Better yet, when a reporter wants to see the survey instrument and the underlying methodology, send it. You’ll gain plenty of street cred and may even get some ink too.

Our recommendations are to pay careful attention to survey size, understand the sampling methodology, make use of a professional pollster or research analyst or statistician and learn from the experts.

Listen to our podcast here:

iBoss blog: Who are the bug bounty hunters?

Posted on by
Reply

Bug bounties have become more popular, but that isn’t surprising given they have been around for more than a generation. The first bug bounty hunting program originated with computer science professor Don Knuth decades ago. It was for reporting errors in his classic book series the Art of Computer Programming, and in catching bugs in several of his landmark software applications. Since then, many vendors such as Google and Facebook have been running programs and there are others that handle submissions and payouts, set the rules for participation, and generally keep track of all the administration for the program.

You can read my post on the iBoss blog here. 

Simple steps to harden your SMB network

Posted on by
2

If you run your own small business network, chances are your security could be better. Consider these two news stories that I posted this week on my Inside Security newsletter:

ITEM #1: A group of hackers shut down the heating system on a block of apartments in Finland last month. The issue was a lack of any firewall protecting the HVAC unit, which was controlled by a computer that had a public IP address. You can bet now they have one to protect their systems.

ITEM #2: An auto dealership CRM used by more than 100 dealers has leaked their customers’ and employees’ data online, mainly because their backups were all unencrypted and accessible to hackers.

I recently spent some time hardening my network doing three simple tasks. All of them can be accomplished in under an hour, if you have some basic knowledge and skills, and if you are careful at following the various instructions and interpreting the results. Nevertheless, it took me a lot longer: either because of my own stupidity or sunspots or whatever.

The three tasks are to harden your WordPress installation, scan your ports, and add a basic level of security to your email domain.

WordPress hardening

There are two basic ways to run a WordPress blog: one is by using your own server and the other is by using the free hosting service and having a server at YourDomain.Wordpress.com. I have used both and get into the pros and cons here in a previous post. Assuming you have control over your own server, there are numerous sites that keep track of WordPress plugins and other vulnerabilities, we will just mention a few here:

  • Securi maintains this site and they recently discuss a DDos attack on v4.5.3 and XSS and SQL injection attacks. It is always a good idea to stay current with WordPress versions.
  • If you want some motivation about making your WP site more secure, you should read these suggestions from WPMUDEV. Some are easy to implement, others will take some time.
  • This site has a description of a few vulnerabilities with detailed information on how they are compromised (they also have a free WP plug-in to protect your site). If you get into tracking vulnerabilities, they also have a bug-bounty program.
  • And Network World has an article that goes into best practices about operating your WP site. You can also review many of these on the WordPress Codex that are more of a general security nature too.
  • Finally, you should download the Wordfence plug-in and use it to protect your server. They also have on their site details about general security topics, including an article about how WP-based botnets get started. Their plug-in is free for basic services, and you can upgrade if you want more. I had some trouble when I first installed the plug-in and got to inadvertently test their support team, which was excellent. When I re-installed it, it worked fine.

Scan your ports

For many years I have been a big fan of Steve Gibson’s Shields Up port scanner. It is well worth using, because it is simple, free, and will take just a moment to look at your network router and see what open ports you have. The big limitation is that it only scans the first 1000 ports: that was fine years ago when the Internet was just a gleam in Al Gore’s eye, but now life has gotten more complex. I would also suggest using BullGuard scanner, which will scan more ports. When I did this on my Uverse-connected network, it found port 7547 open. I hadn’t seen this port before and found this mention on PC World, which has to do with the embedded webserver that is used to manage my Uverse DSL modem. There isn’t much you can do about it, unless you want to switch to a cable ISP connection.

Secure your email server

I have written extensively on using email encryption for your day-to-day emails, but there is another way to approach better email security and that is by adding an automatic digital signature to each outgoing email headers using a protocol called DKIM, which stands for Domain Keys Identified Mail. Most email hosting providers now support this protocol, Google’s help page starts here for their hosting services. DKIM is a lot like the public/private key infrastructure that PGP and others use to encrypt messages. You have your choice of key lengths (choose the longer and more secure 2048-bit keys if your provider supports them).

Google’s help pages are very explicit as to the steps you need to take. You basically need to do three tasks: first, you obtain a key from your email hosting provider. Then, you add a DNS entry for your domain provider (which is my case is my ISP). Then you want to take a few days and check to make sure that you did this correctly, using this verification service.

Good luck with securing your domain and servers. Feel free to share other simple tips here as well.

 

Joey Skaggs and the art of the media hoax

Posted on by
3

I have had the pleasure of knowing Joey Skaggs for several decades, and observing his media hoaxing antics first-hand during the development and deployment of his many pranks. Skaggs is a professional hoaxer, meaning that he deliberately crafts elaborate stunts to fool reporters, get himself covered on TV and in newspapers, only to reveal afterwards that the reporters have been had. He sometimes spends years constructing these set pieces, fine-tuning them and involving a cast of supporting characters to bring his hoax to life.

His latest stunt is a documentary movie about filming another documentary movie that is being shown at various film festivals around the world. I caught up with him this past weekend here in St. Louis, when our local film festival screened the movie called The Art of the Prank. Ostensibly, this is a movie about Skaggs and one of his pranks. More about the movie in a moment.

I have covered Skaggs’ exploits a few times. In 1994, he created a story about a fake bust of a sex-based virtual reality venture called Sexonix. I wrote a piece for Wired (scroll to nearly the bottom of the page) where he was able to whip up passions. In the winter of 1998, I wrote about one of his hoaxes, which was about some issues with a rogue project from an environmental organization based in Queensland, Australia. The project created and spread a genetically altered virus. When humans come into contact with the virus, they begin to crave junk food. To add credibility to the story, the virus was found to have infected Hong Kong chickens, among other animals. Skaggs created a phony website here, which contains documentation and copies of emails and photos. Now remember, this was 1998: back then newspapers were still thriving, and the Web was just getting going as a source for journalists.

As part of this hoax, Skaggs also staged a fake demonstration outside the United Nations headquarters campus in New York City. The AP and the NY Post, along with European and Australian newspapers, duly covered the protest, and thus laid the groundwork for the hoax.

Since then he has done dozens of other hoaxes. He set up a computerized jurisprudence system called the Solomon Project that found OJ guilty, a bordello for dogs, a portable confessional booth that was attached to a bicycle that he rode around one of the Democratic conventions, a miracle drug made from roaches, a company buying unwanted dogs to use them as food, and more. Every one of his setups is seemingly genuine, which is how the media falls for them and reports them as real. Only after his clips come in does he reveal that he is the wizard behind the curtain and comes clean that it all was phony.

Skaggs is a genius at mixing just the right amount of believable and yet unverifiable information with specific details and actual events, such as the UN demonstration, to get reporters to drop their guard and run the story. Once one reporter falls for his hoax, Skaggs can build on that and get others to follow along. Skaggs’ hoaxes illustrate how little reporters actually investigate and in most cases ignore the clues that he liberally sprinkles around. This is why they work, and why even the same media outlets (he has been on CNN a number of times) fall for them.

In the movie, you see Skaggs preparing one of his hoaxes. I won’t give you more details in the hopes that you will eventually get to see the film and don’t want to spoil it for you. He carefully gathers his actors to play specific roles, appoints his scientific “expert” and gets the media – and his documentary filmmaker – to follow him along. It is one of his more brilliant set pieces.

Skaggs shows us that it pays to be skeptical, and to spend some time proving authenticity. Given today’s online climate and how hard the public has to work to verify basic facts, this has gotten a lot more difficult, ironically. Most of us take things we read on faith, and especially if we have seen it somewhere online such as Wikipedia or when we Google something. As I wrote about the “peeps” hoax in 1998, “a website can change from moment to moment, and pining down the truth may be a very difficult proposition. An unauthorized employee could post a page by mistake. One man’s truth is another’s falsehood, depending on your point of view. Also, how can you be sure that someone’s website is truly authentic? Maybe during the night a group of imposters has diverted all traffic from the real site to their own, or put up their own pages on the authentic site, unbeknown to the site’s webmaster?”

Today we have Snopes.com and fact checking efforts by the major news organizations, but they still aren’t enough. All it takes is one gullible person with a huge Twitter following, (I am sure you can think of a few examples) and a hoax is born.

In the movie, trusted information is scarce and hard to find, and you see how Skaggs builds his house of cards. It is well worth watching this master of media manipulation at work, and a lesson for us all to be more careful, especially when we see something online. Or read about it in the newspapers or see something on TV.

FIR B2B Podcast: PR tips and my 21-year newsletter streak

Posted on by
Reply

In this week’s podcast with Paul Gillin on B2B marketing, I talk about my 21 years of writing a weekly Web Informant email newsletter. Last year I summarized my efforts in this piece with lots of links back to the early days.

Also in our podcast, we pay tribute to Bill Machrone, editor of PC Magazine and an all-around fine human being, for his recent passing after battling brain cancer for two years. And we address a listener’s questions about the importance of images and about C-suite demands that PR pros support the brand’s lead generation efforts.

Listen to the 15-minute podcast here:

This campaign isn’t like high school

Posted on by
6

This week I had a chance to talk to some high school kids in the area. They are part of a business class that is designed to teach kids how to start their own businesses called Spark. The class is taught in a storefront in a local shopping mall, deliberately to give the students a more non-school milleu. I came to talk about using Twitter and other social media tools. I had given this presentation before to previous classes for the past several years, so I wasn’t really focused on the events of the presidential campaign and how current they would be in this context. And I found our discussions quite interesting, but not in the way you might think.

I was actually surprised to the mature responses from the kids. Many of the students thought that some of things being said on social media and on TV about the campaigns were certainly entertaining, but they thought the candidates weren’t acting appropriately. I made the comment that many of the students seemed more mature in their reactions compared to what the candidates Tweeted and posted, and there were nods all around the room.

dick2Xanthe Meyer, the Spark teacher, was also surprised by their responses. “Maybe the kids are more interested in the presidential election this year, because it is racier. But I am also shocked that both candidates’ PR teams allow these kinds and levels of responses. I think this election will be in many studies as an example of what NOT to do,” said Meyer. “I wonder what would have happened if we had social media during the Watergate scandal?”

The class is pretty tech savvy: the kids use Twitter, Slack, Instagram and LinkedIn to communicate with each other and with their teachers, and are encouraged to do so. “It is expected that we use social media more,” said their teacher. I was surprised that many of the kids weren’t really facile with Twitter, and I guess that was one of the reasons why I was there, to help them understand how to use it more effectively.

Meyer has been teaching for decades, and recalls what happened during class when 9/11 happened. “We watched the event live during class on TV. Later, our principal was getting phone calls from parents complaining about my decision. And this was from parents of 17 and 18 year olds. That was crazy. These kids could be drafted!”

I mentioned that during the last couple of debates, parents were posting thoughts about not letting younger kids watch the debates. “In our community, parents do shelter their kids from the news. We are definitely living in a different world politically, and I think this campaign amounts to one big negative political ad that is running continuously. It is like a long version of a TMZ episode that is embarrassing to our nation. Not sure if I know what the true issues are anymore.”

One issue for this and other teachers: using social media is a tricky situation. Last year, a local special ed teacher was suspended for several days after her profanity-laced tweets got her into trouble with the school district. And there are numerous other examples of other teachers who have gotten in trouble over their tweets, which seem tame now compared to what the candidates say about each other lately. Teaching is a tough enough job already – my mother was a special ed teacher for decades – but having to navigate these waters now has to be done with care.

Still, I thought it instructive with all the “locker room talk” and “boys being boys” – at least when it came to this high school class – the kids took the higher road. Maybe there is something we can learn from this to improve our supposedly “adult” discourse.