There's some pretty scary stuff on the screens at your local googleplex cinema these days. You've got you choice of serial killers (Zodiac, Hannibal Rising), a nutter with numerical obsessions (The Number 23), and a super-anti-hero in touch with his Inner Satan (Ghost Rider) to name just a few.
But if you're a propeller beanie type who has to deal with computer security issues, you don't need supernatural pyromaniacs or cannibalistic mass murders to keep you awake at night. No, in this business all you need are reports from the Black Hat security conference.
For the benefit of those of you who don't spend your days worrying about things like rootkits and Remote Access Trojans, Black Hat is a company that provides briefings and training on security issues to both private and public sector clients of all sizes. It brings together, according to its web site, “the best minds from government agencies and global corporations with the most respected independent researchers and hackers” to provide state of the art information on how to defend your company from criminal hackers, identity thieves, and related virtual outlaws. The Black Hat conferences, which take place four times a year, provide an opportunity for security professionals to meet, greet, and compare notes.
They also provide the rest of us with fodder for digital nightmares. The latest conference, which concluded March 1st, included briefings on the threat of rootkits, the risks posed by the widespread use of RFID tags, vulnerabilities in the ways databases communicate with each other, various ways that web applications can be hacked (and how to stop those hacks), and a presentation on what's referred to as “data seepage”.
This last one was of particular interest to me, since it touches on an issue I referred to in an earlier blog entry: the foolish and often reckless ways in which the average computer user cruises along the Information Superhighway. Data seepage refers to the little bits of personal information our laptops, handhelds and even smartphones are broadcasting to the world at large – and therefore to criminal hackers – when we use those nifty free wireless networks at the local coffee shop or airport.
The problem, you see, is that those networks are unsecured. That means that anything you do at your laptop can be picked up by others on the same network using “packet sniffers” or other network monitoring applications. They can determine what type of hardware and operating system you're using, what other wireless hotspots you've connected to in the past, what web sites you're visiting and any personal information you've been foolish enough to enter. At the very least, the bad guys can pick up enough information to make you and/or your employer the target of a “spear phishing” attack. At the worst, they might gain the ability to read your e-mail, steal your on-line identity, and even plant spyware on your computer.
This isn't just theoretical. Even at Black Hat conferences – where you'd assume everybody is pretty cyber-savvy – there's a Wall of Shame (actually a large video monitor) displaying, in real time, personal information being sent unencrypted on the conference wireless network. During their presentation on data seepage last week, in fact, experts from Errata Security “were able to use [their network monitoring application] Ferret to intercept an e-mail sent to a reporter working in another conference session. The message included one of her applications' passwords”, according to ComputerWorld columnist Matt Hines' report from the conference.
Fortunately for her, Hines doesn't sniff and tell.
There are ways you can protect yourself from this kind of exposure, of course. You can make sure your laptop is as secure as possible (I refer you to my ten-point safety check for details) and you can subscribe to a VPN (virtual private network) service for those times when you really need to use one of those “free” wireless networks. That old saying “there's no such thing as a free lunch” applies in cyberspace as well, you know.
Look for this data seepage issue to get worse before it gets better, especially with towns and cities rushing to implement municipal WiFi networks. For the well-equipped cybercrook, the only thing more attractive than an airport full of laptops cheerfully leaking personal information is an entire city full of them. It's like shooting phish in a barrel.
Now THAT'S scary!