Once attackers get your PIN, they have full access to any credit card information stored in the app and they can use your phone to make purchases. As a user of Google Wallet, the main security you see is the PIN. What makes Wallet easy for you to use now makes it easy for attackers to use; they can now spend your money and credit just as if your phone were an ATM card.

How It Works
The vulnerability involves storing an encrypted hash of the Google Wallet PIN in a database that belongs to the app. Because it’s not stored in the Secure Element chip, the only protection is Android’s user ID-based “sandboxing.” Normally malicious apps can’t access files belonging to another app, but once the phone is rooted that protection and any others are gone.

Google Wallet Cracker app checks whether the phone is rooted.

In this case an attacker with root access can reverse-engineer the Google Wallet app’s database format and extract the hashed PIN.

The Cracker app extracts the encrypted hash of the Google Wallet PIN.

Because the PIN is a four-digit code, an attacker can generate all possible PINs (0000-9999), hash them, and compare against the extracted PIN. On a real phone this takes about four seconds.

The Cracker app displays the recovered Google Wallet PIN four seconds after the app was started.

How Do We Stay Safe?
Currently only Nexus S or Galaxy Nexus users can run Google Wallet. Rubin has responsibly disclosed the vulnerability to Google and the company is now working on patching Android to prevent such attacks. The Google Wallet Cracker is not publicly available.

Google Wallet users can take a number of steps to protect themselves:

• Use a lock code/password, swipe pattern, or face unlock
• Keep your phone close and in your possession. If attackers don’t have physical access to your phone, they can’t install malicious apps or spyware.
• Install antivirus software on the phone to protect against unwanted root exploits and spyware

So far we have discussed vulnerabilities and some types of low-interaction attack vectors. In this lesson we shall continue with attack vectors that require medium or high levels of user interaction to succeed.

These attack vectors are more dangerous because their success relies on the victims, which means that they can work in multiple “buildings” in parallel. (Recall our analogy of comparing a system to a building.) An attacker who uses these vectors also has an advantage that does not depend on technology: the human factor. Humans are curious by nature and, even when we don’t care to admit it, gullible. Almost anyone, no matter how cautious, can be tricked into being a victim of an attack or helping an attacker.

But we’ll delve into the topic of social engineering another time. For now we’ll focus on the vectors themselves. These vectors may require as much work from attackers as the low-interaction ones. Most of the time goes into assembling a malicious website or something similar.

Medium Interaction
Website/mail elements: Visiting a website is usually only a click away, especially if you just happen to be “in the neighborhood.” Think of all the advertisements you see while navigating the web. How many times have you been tempted to click an interesting ad, or follow a mail with a convenient offer? Any of these sites could host an attack or a piece of malware. The whole site need not be malicious, just one hidden element or image will suffice. When you enter a site, your browser tries to load all of the page’s elements; when it reaches the malicious part, the attack executes. Attackers can use this vector to exploit almost every kind of vulnerability because the attack happens online. The disadvantage for the attacker is that this vector requires a vulnerability in your browser to work.

High Interaction
Corrupted files: This broadly works in the same way as website vulnerabilities. An attacker places a file that contains an exploit on some part of the web. It can be a peer-to-peer network, FTP site, art gallery, free software site, you name it, or the attacker can send the file directly to you by mail. You download the file, open it, and Wham!: The exploit runs. The most visible difference is that the victim actually needs to find the file and open it. And that’s why this vector is usually disguised as tempting celebrity photos, work documents, or even free tickets to a concert. These attacks are often widely advertised (social networks anyone?). Because this vector employs the victim’s computer, it is mostly used for exploiting denial of service or remote code execution vulnerabilities. In the latter case, inside the file there’s a small piece of code that communicates with the attacker’s computer or server, allowing access to the victim’s machine.

So next time you see a “OMG, awesome video of <celebrity name> here!” link, don’t just think twice. Don’t open it at all. The most probable outcome is that you’ll open the doors of your “building” to complete strangers and you’ll never know it. Next time we’ll see how the human factor fits into attacks, with a post about social engineering.

And it’s about time. Looking at the widespread careless use of computers and mobile devices, in particular in the home but also in many offices. (It’s 2012: there really should be no more reports of unencrypted laptops with sensitive data being lost or stolen.) As we face attacks from an ever-growing number of criminals, this day should absolutely be used to think about safety.

Although the original intent was to promote safer and more responsible use of online technology and mobile phones, especially among children and younger adults, I think the older generation
(hello, mum ), in fact everyone, can benefit from this opportunity to think about safety and learn a bit as well.

Looking at the results published in “Cyber-security: The Vexed Question of Global Rules,” the first global report on cyberdefense, we can see that companies, organizations, and even governments are well advised to use this day for some brainstorming about the current situation, how to improve it, and how to help employees and citizens to better understand the risks.

So please take a look at the material online at the Safer Internet Day website and have a nice–and safer–day.

Respect the Bouncer
To keep out known troublesome apps, the service performs a malware and spyware scan on all submitted material. It also uses behavioral analysis to determine if a given app is trying to do something suspicious. Google doesn’t stop there; it also does fraud and abuse detection to ban and remove malware writers posing as legitimate developers.

Other Protections
Aside from Bouncer, Google has older methods of protecting users from bad apps. The company cites its “remote app removal switch,” which allows Google to remotely uninstall apps that violate its policies and or are malicious. Although this is good for handling most basic Android malware, additional measures are sometimes necessary.

Sandboxing apps is very useful but is also a double-edged sword. On one side it keeps the average malicious app from accessing user data in other apps; on the other, however, it prevents Google and other security vendors from easily cleaning a device of advanced malware. In the case of malware such as Android/DrdDream or Android/DrddreamLite, which use root exploits to gain total control of a device, it’s necessary to go a step further. These threats that use root exploits completely bypass app sandboxing, requiring stronger methods to remove them. Google now provides a tool that runs on infected devices and removes all malware that were impossible to clean up with the remote removal function.

Alternative App Markets and Malware
Bouncer was able to reduce by half the amount of malware available on the official Android App Market during the past year. That’s an impressive figure. It’s also not the entire picture for Android malware. Android’s openness is great for developers and for users. It’s easy to get started developing apps and distributing them. It’s also easy for users to get an app that does what they need. These were keys that helped to make MS-DOS the most popular operating system in its day: Although MS-DOS was afflicted with viruses and other malware, they were always orders of magnitude smaller than the available number of legitimate applications.

The official Android App Market is not the only source for apps on Android devices. In China, it’s not even the only app store. There are reports of as many as 70 app stores in Beijing alone. In a presentation I gave last year at the security convention DefCon, we found that on a nearly two-to-one basis China was affected by for-profit mobile malware. The majority of this malware was Android based and downloadable from some of these alternative app markets. China has a large number of mobile users and the tactic of local cybercriminals was described by a colleague as “steal a little from a lot.” Even a single dollar from a million users is a good haul for a criminal.

Is a ‘Bouncer’ Enough?
We haven’t yet seen many details about Bouncer internals, but what we’ve seen so far bodes well for Android security. By itself Bouncer is not enough to clean up all infected devices or to keep all malware out of the market. There will still be a need for further innovation in security software and for defense in depth. The Android security team has a lot of clever people on it and no doubt they will continue to improve security while maintaining Android’s open nature.

Disposable computers
A number of years ago at DefCon a team of penetration testers showed how to infiltrate a corporate network by mailing an iPhone with a large backup battery to the target company. This allowed them to exploit vulnerable host on the internal network and then ship any acquired data back to themselves. In that case they eventually recovered this expensive portable computer (iPhone), but it would have been better if they didn’t have to worry about getting the computer back. There are other cases where one might want to use a computer without spending a lot of money on a smartphone, say, doing data collection in your near-space balloon.

In the talk “Sacrificial Computing for Land and Sky,” researcher Brendan O’Connor will explain how to build throw-away computers for less than US$80. These are computers that can be left at a target location without concern for recovering them.

Bluetooth
If the last time you followed Bluetooth security was more than a couple of years ago, you might think that Bluetooth is a broken protocol. Things have improved, though, with many of the old bugs and vulnerabilities fixed. There have been new attacks and new tools created for testing Bluetooth, but there are also techniques for protecting yourself from attackers. Researcher JP Dunning’s talk “Defending the King of Denmark with a BLADE” will cover his toolkit for detecting such attacks.

Near Field Communications and Radio Frequency Identification
New models of iPhones and Android smartphones are coming with NFC capabilities. These will eventually allow you to use your phone to buy goods and services just by tapping to pay. Having your credit cards tied to your phone or an RFID chip can be risky if security hasn’t been tested. Chris Paget, an expert on radio and GSM security, will present on the security vulnerabilities in today’s credit cards with RFID. Fortunately he will also cover ways to protect your credit cards.

Your phone-based credit cards aren’t necessarily safe. Researchers Corey Benninger and Max Sobell will go after NFC-enabled smartphones in “Intro to Near Field Communication (NFC) Mobile Security.” This is an extension to their Sector conference talk, but updated with new information on Google Wallet and the latest version of Android.

You might be familiar with RFID proximity cards used in your workplace to “badge in” and “badge out.” Penetration testers regularly bypass access-control systems that use such cards. Foundstone’s Brad Antoniewicz will showcase methods of attacking these RFID systems from multiple points of entry.

Android
Android malware is taking off with maliciously modified pirated apps and premium-rate SMS-sending Trojans. As threats increase, the need to analyze suspicious apps and compromised devices also increases.

Two talks will cover these aspects of securing an Android device: Matthew Rowley’s “A Blackhat’s Tool Chest: How We Tear Into That Little Green Man” and Joe Sylve’s “Android Mind Reading: Memory Acquisition and Analysis with DMD and Volatility.”  Both talks will include tool releases to help other researchers reverse-engineer malicious apps and dump memory from a running Android device.

iPhone
The iPhone does not escape scrutiny from these security researchers. David Schuetz will update his talk on the iPhone’s device-management interface. Device management allows your company’s system administrator or IT head to supply your iPhone with your corporate email or remotely wipe all the data when it is lost or stolen. He will cover changes in iOS 5 and other details.

Mobile exploitation
Smartphones aren’t always targets, sometimes they’re also used to attack. Researcher Pedro Joaquin will give a FireTalk, “ROUTERPWN: A Mobile Router Exploitation Framework.” Penetration Testers who need to test routers, access points, etc. can now pull out their smartphones and have access to ready-to-run exploits. The framework is written in JavaScript and HTML, so it doesn’t really matter what kinds of smartphones they have.

These are just a few of the mobile and embedded-related talks at ShmooCon. The weekend should be full of many more enlightening security-related presentations.

Two issues in SaaS for Total Protection have arisen in the past few days. In the first, an attacker might misuse an ActiveX control to execute code. The second involves a misuse of our “rumor” technology to allow an attacker to use an affected machine as an “open relay,” which could be used to send spam.

The first issue has much in common with a similar issue patched in August 2011. In fact, the patch delivered then basically cuts off the exploitation path for this issue, effectively reducing the risk to zero. Because of this, customer data is not directly at risk.

The second issue has been used to allow spammers to bounce off of affected machines, resulting in an increase of outgoing email from them. Although this issue can allow the relaying of spam, it does not give access to the data on an affected machine. The forthcoming patch will close this relay capability.

[Update: the patch for the spam issue is now rolling out to customers, and everyone should have the update shortly]

• Lind Weaver refused to pay hospital bills she received for the amputation of her right foot. It was in 2006, but the story still makes the headlines in 2011.
• Joe Ryan got a bill from a Denver, Colorado, hospital for a surgery. In was in 2004, but everybody talks about it today.
• The Virginia Prescription Monitoring Program welcome page was replaced in April 2009, with a US$10 million ransom demand.
• The Indian police arrested, in November 2009, the director of a business process outsourcing company for his involvement in stealing medical history data of a UK-based entity.

Finally, I visited the Datalossdb website, which is a great source of information.
For the year 2011 and the beginning of 2012, I searched for incidents where data types referred to “medical data” and the source excluded “Inside Accidental.” I obtained 176 rows. A quick analysis shows:

• 97 cases were related to the theft of documents or equipment (desktop, laptop, drive, tape, USB key, etc.)
• 21 cases were related to an inappropriate disposal of documents (dumpster, email error, recycling bin, etc.)
• 14 cases were related to a loss of documents or equipment
• 16 were unknown

 
I also found these incidents:

• 14 hacks (computer-based intrusion, data not generally publically exposed)
• 10 fraud or SE (fraud or scam–usually insider-related or via social engineering)
• 3 virus (exposure to personal information via virus or Trojan, for example, a keystroke logger, possibly classified as hack)
• 1 web (computer/web-based intrusion, data typically available to the general public via search engines, public pages, etc.)

Looking at this table we can conclude that, like any other personal data, medical data can be accessed by hackers and crooks. Whether from students, common patients, or Guantanamo detainees, their data was much coveted in 2011.

Although it is easy to find prices on the black market for personal data that can lead to the theft of funds, or forged drivers licenses, or passports, I was unable to find any reliable prices for stolen medical records. At the Digital Health Conference held on December 1, 2011, in New York City, a panel claimed that such records were worth US$50, much more than other personal identity data such as Social Security numbers or credit card information.

In a January 2007 interview with Pan Dixon, then executive director of the World Privacy Forum, he said, “Our research found that there is a huge black market for medical records. Police tell us such records go for $50 each on the street, compared to Social Security numbers that go for a dollar or two.”

I also found a price connected with the November 2009 case in India. It was said that the suspect sold data–for UK£4 per record–to an accomplice who marketed the private records in Internet chat rooms.

The scam, which offers free mobile battery recharge coupons, links to a fake website and appears as a wall post:

The scam automatically post this status on the wall to convince other friends to click on that link and get the “free” recharge. The post has a clear-text website address that points to the malicious website. Once users click on that link, they will be taken to the website, which asks for their Facebook account details.

Obviously this is a scam to steal Facebook account details. The victims, thinking they are getting mobile recharge minutes, blindly enter their real Facebook credentials. Once they click on the Log In button, they will be taken to another page. The account information has already been sent to the attacker’s server via the HTTP POST request. The site never even validates the credentials with the real Facebook, so even if you enter fake information, it will take you to a new page where you will be asked to answer a few surveys. For this post, we entered fake information and took some network packet captures. The next screenshot shows where user information is sent to the malicious server controlled by the attacker:

The Facebook username and password are sent in clear text in the HTTP POST request. While redirecting the new victim to the survey page, the same scam message is posted on that user’s wall to further spread the attack. Here is the survey page:

Victims are required to complete the surveys to get the recharge coupons, which do not exist. The attacker’s motive is simply to steal real Facebook credentials and to earn money with the help of the surveys.

We have learned from a few victims that their accounts were totally compromised after falling prey to this scam. The attacker not only changed their account passwords but also deleted their primary information such as email addresses. Even if the victims try to reset their passwords, they will never get the password reset email from Facebook.

Be careful when responding to lures and “offers” such as these. If a deal sounds too good to be true, it most likely is.

The elements that define private health information in the United States can be found in the Health Insurance Portability and Accountability Act (HIPAA).

Medical identity theft is the inappropriate or unauthorized getting, possession, use, or knowledge of individually identifiable health information to acquire medical services or goods, or to obtain money by falsifying claims for medical services and falsifying medical records to support those claims. Penalties are defined in the HIPAA privacy rule 42 U.S.C. § 1320d-6.

If you’re interested in cybercrime, you’ll find numerous and reliable statistics covering all aspects of those online misdeeds. Excellent Internet sources are the Federal Trade Commission, CyberSource, and the Internet Crime Complaint Center. But searching for data about medical identity theft is more difficult. Of these three sources, only the FTC lists medical identity thefts. The FTC claims that among all the complaints it registers (250,854 CNS identity theft complaints in 2010), medical theft amounts to only 1.3 percent (3,261 complaints).

Just to make medical theft searches more difficult, we find conflicting data. I have repeatedly read online that “Medical identity theft accounts for 3 percent of identity theft crimes, or 249,000 of the estimated 8.3 million people who had their identities stolen in 2005, according to the Federal Trade Commission.” When I searched for the source of this information, I found a November 2007 FTC report (page 21) that states “Three percent of victims said that the thief had obtained medical treatment, services, or supplies using their personal information.” However, a footnote adds: “Based on the responses of the 559 individuals surveyed who indicated that their personal information had been misused between 2001 and the date they were interviewed.”

Looking at specific surveys covering the United States, I have found some strange figures, such as 86,168 victims in 2001 and 255,565 victims in 2005. For example, the Redspin blog, states “Several of these cases, dating back to 2005, are documented by the World Privacy Forum along with many other patient record thefts. They also note an increase in medical identity theft victims from 86,168 in 2001 to 255,565 in 2005, and this number is still increasing. Only time will tell what new crimes come with the theft of electronic medical records.”

The problem is that these figures are from the FTC and cover the whole identity theft phenomenon, not solely medical theft.

The only acceptable figures I found on this subject are from the Second Annual Survey on Medical Identity Theft by the Ponemon institute:

Even if this table covers all medical identity theft categories (both online and offline), the figures seem high compared with the 8.1 million American identity fraud victims cited by Javelin Strategy & Research for 2010 or the 7 percent rate claimed elsewhere.

Next week, I will continue this blog by discussing a claim that medical record data is worth US$50 on the black market.

Reverse-engineering a Qualcomm baseband
Guillaume Delugré acknowledged researcher Ralph Phillip Weinmann’s work from last year during Delugré’s talk on reverse-engineering a popular 3G USB data stick.

Guillaume Delugré discusses how he reverse-engineered Qualcomm firmware and developed a debugger.

The USB stick runs a proprietary OS named REX. Delugré reverse-engineered a diagnostic mode used by Qualcomm engineers. Although some work has been done on documenting and using the diagnostics interface (the ModemManager project), he developed more detailed specifications.

Delugré explains the format for an undocumented diagnostics interface.

Cellular protocol stacks for Internet
Harald Welte, a lead developer of the Openmoko project and a Linux kernel developer, gave a good breakdown of various mobile data protocols. Cellular voice communication on GSM has gotten a lot of coverage over the years, but outside of the mobile industry there has been little to no information on how the data protocols function.

Harald Welte presents details on mobile data protocols.

The talk covered the layout of a number of the mobile data protocols, including the latest 3G protocols.

Diagram of UMTS network architecture.

Perhaps in the next year we will see more development in the exploitation and security of mobile devices.