Thursday, July 20, 2017

The Child’s T-Shirt Point of Sale (POS) Attack

Despite the fact that sometimes I discuss serious security topics, the name of this blog is after all “Security through Absurdity” and so absurdity is required at times. Prepare yourself for a Costco-sized package of absurd.

As I was walking through Costco today I saw a woman pushing a cart, with her kid in it. I figured if everything else in the cart has a barcode so should her kid. And so I spoke my mind. “You needs a kid’s t-shirt with a barcode on this. I thought she was going to ignore me, but a few seconds later she finally replied "No thanks, I already pay enough for my kids." I had actually thought about the absurdity of paying for your own kid and so I had my own reply (which I thought of on the spot) "what if the barcode is a rebate?" She liked that idea. And that was the birth of the child t-shirt exploit attack.

Replacing barcodes on products to get a cheaper price was innovative - one time - many years ago. The second time it was done was ho-hum.  The Child’s T-shirt POS attack is more interesting. I’m sure I am not the only one who has thought of this, but I think my idea of how to monetize it in the real world may be innovative. The Child’s T-shirt POS Attack is the perfect application of social engineer to exploit a cashier with a barcode scanner. The attack exploits the fact that a toddler sitting in a shopping cart, wearing a t-shirt with a barcode on, it is irresistible. Cashier: “Oh isn’t that adorable. Here you go cutie, let me scan you.”  Scan - ding - five bucks off. Ten bucks if you have two kids.

Is that awesome social engineering or what? It can work too, for both Costco and you!

Costco, you owe me big time for this idea...

Sell a child’s t-shirt with a barcode on it that gives the adult accompanying the kid 2% back on each purchase. You give 2% back for executive card holders so you can’t tell me the idea is cost prohibitive. You get your brand displayed every time the kid wears the shirt. The amusement factor is such that the t-shirt will be worn a lot. You will entertain most shoppers. Parents enjoy hearing “that is so adorable” when it’s talking about their kids. You’ll get the “mommy, daddy, I want that” sales (which you get anyway). Finally, the savings makes it less painful for the parents who have to put up with “mommy, daddy, I want that.”

Marketing is about social engineering. If you want to protect against the Child’s T-shirt POS Attack then embrace it and use social engineering to your advantage.

Randy Abrams
Independent Absurdity Analyst 

Monday, July 17, 2017

Stackhackr; Useless for Testing – Good for Marketing

Barkley, a self-proclaimed security company, has revived the 1990’s era Rosenthal Virus Simulator; an application that called false positives good while claiming to test the quality of antivirus products. Some users believed that this simulator indicated if an antivirus product was good at detecting malware. As a result some AV companies wrote detection specifically for Rosenthal’s harmless files. The customers wanted harmless false positives for harmless files and so they got them.

Barkly has come out with a free product they call stackhakr. Stackhackr is a lead generation application that is disguised as a security product testing tool. In reality it is another Rosenthal type program that convinces users that false positives mean better security.

According to Barkly “The malware you create won’t actually cause any harm, but whether it runs or gets blocked will tell you if your system is vulnerable to the real thing.”

Really? If a completely ineffective security product writes detection specifically for this application then you are not vulnerable to the real thing? If a product false positives and detects your harmless files, then the company’s customers are not vulnerable to ransomware? In order to use stackhackr you have to provide your contact information. It is only then that you get something that does not do what it was promised to do. Like I said, stackhackr is a lead generation application, not a test tool.

Stackhakr does not test the ability of a product to detect ransomware, malware, or the ability of a product to effectively deal with any attacks. Due to the security effectiveness of application reputation Barkly specifically calls out this type of detection as a false positive. Barkly claims that detection of their launcher application is a false positive because the launcher file is harmless and not part of the test. Seriously? Detecting a harmless launcher is a false positive but detecting the harmless files it writes is not? Take me to security school, I had no idea that’s how it works. In reality detecting a “harmless” file is not a false positive when it is only ever seen launching malware. Blocking a launcher or a dropper before it delivers its payload is a good thing. If launcher.exe is used to launch the simulator then it is fair game. Blocking the launcher protects users from a false sense of security. The detection is accurate, not a simulation but real protection against deception.

Now for all you AV vendors, Barkly has thrown down the gauntlet, so what are you going to do? If you identify a site delivering ransomware or other malware you block the site. If simulated ransomware or simulated malware creation kits are on https://stackhackr.barkly.com/, then let’s get this simulation off the ground and go block the site. Be sure to mention it is a simulated malware toolkit creation site you are simulating detection of.

I have interacted with major security product testing organizations as an enterprise security professional and as an employee of a security vendor. I have actually worked for a company (NSS Labs) that tests (and breaks) security products. There are no competent testers in the world that would tell you that stackhackr is usable as a security product testing tool.

I recommend against giving Barkly your user information in exchange for stackhackr. You will not receive anything I can deem as even slightly valuable.

Randy Abrams

Independent Security Analyst

Monday, June 26, 2017

The “I Can Use Facebook Any Time I Want To” Offspring Password Reset Attack

No matter how ridiculous, every "cyberthreat" must have a catchy name.

Sometimes parents will restrict the times that a child can use the Internet for anything other than homework or downloading Malwarebytes to fix their parent’s PC. Policy and compliance, as every parent and IT professional know, are not always followed by choice. If you are a parent, how do you enforce such a policy? Technology to the rescue…

Many cable modems, and other network connectivity devices, allow the administrator to set up times they can block certain computers from using specific Internet sites. Of course that doesn’t work if you leave the default administrator username and password unchanged... it’s either on the Internet, or on a sticker on the bottom of the device.

Since you already knew that, or someone who did know that helped you configure the device, your kid isn’t going to log in to the console and fix the “policy.” Here is where the old adage about physical access and game over come into play. Simply stated, if a person has physical access to a device, they own it. If your teenager has physical access to the network device, they can perform an insidious password reset attack and you will never be the wiser. There’s a reset button on the device. Among other things the reset button resets the... yeah, password. You may never know it happened until 25 years later when during some random conversation your kid confesses. At that time, if your kid still lives at home, go ahead and enforce lockout hours again. The defense against the offspring password reset attack is to prevent physical access to the device. For the average parent that would be a pain in the @ss inconvenient. I’m not a parent so it isn’t really my problem, I’m just the messenger.

Before you state the obvious, there are parental control apps that can enforce policy on a mobile phone. These apps are almost certainly more common than parents doing anything with their cable modem configurations. If you’re a kid, that’s what burner phones are for.

OK, the attack is esoteric and it just amused me, but the point is that sometimes physical security is required where you least expect it. Perhaps next time I will discuss the legal implications of the offspring password reset attack, but don’t lock up your kids yet.

By the way, I recommend using a password manager and keeping both your current username and password in it and the default username and password. For one, it can be a pain in the @ss inconvenient to turn over the device with all of those network cables and the stiff coaxial cable attached on order to see the sticker with the password on the bottom. For another, if anything happens to the sticker with the password, and it is a modem specific password, you are now vulnerable to a password lockout attack. I find it embarrassing to tell my ISP that my cat licked off the cable modem sticker…. especially the second time.

Randy Abrams

Independent Security Analyst with a Stranger Sense of Danger 
It has been so long since I posted here that most of the posts were irrelevant. I did leave the two rules you damned well better know post though. It is currently timeless, but that may change at a future time.