Tag Archives: consumer

Sometimes, It Happens…

Posted on by
4

Sometimes things fail in interesting ways. Sometimes they fail in dangerous ways. Occasionally, things fail in ways that you simply can’t predict and that are astounding.

In a recent assessment of a consumer device in our lab, we found the usual host of vulnerabilities that we have come to expect in Internet of Things (IoT) devices. But, while testing this particular device, which is also tied to a cloud offering for backup and centralization of data – I never would have predicted that a local device would have a full bi-directional trust with a virtual instance in the cloud.

Popping the local device was easy. It had an easy to compromise “hidden” TCP port for telnet. It took my brute force tool only moments to find a default login and password credential set. That’s pretty usual with IoT devices.

But, once I started poking around inside the device, it quickly became apparent that the device configuration was such that it tried to stay continually connected to a VM instance in the “cloud storage and synchronization” environment associated with the device and vendor. How strong was the trust? The local device had mount points on the remote machine and both systems had full trust to each other via a telnet connection. From the local machine, simply telnet to the remote machine on the right port, and without credential check, you have a shell inside the cloud. Not good…

But, as clear of a failure as the scenario above was, the rabbit hole went deeper. From the cloud VM, you could see thousands of other VMs in the hosted cloud environment. Connect from the VM to another, and you need the default credentials again, but, no sweat, they work and work and work…

So, from brute force compromise of a local piece of consumer hardware to a compromise of thousands of cloud instance VMs in less than 30 minutes. Ugh… 

Oh yeah, remember that storage centralization thing? Yep, default credentials will easily let you look through the centralized files on all those cloud VMs. Double ugh…

Remember, I said bi-directional? Yes, indeed, a connection from a VM to an end-point IoT device also works with assumed trust, and you get a shell on a device with local network visibility. Now is the time you kinda get sick to your stomach…

These kinds of scenarios are becoming more common as new IoT devices get introduced into our lives. Yes, the manufacturer has been advised, but, closing the holes will take a complete redesign of the product. The moral of this story is to pay careful attention to IoT devices. Ask questions. Audit. Assess. Test. There are a lot of bad security decisions being made out there in the IoT marketplace, especially around consumer products. Buyer beware!

The Mixed Up World of Hola VPN

Posted on by
4

Have you heard about, or maybe you use, the “free” services of Hola VPN?

This is, of course, a VPN, in that it routes your traffic over a “protected” network, provides some level of privacy to users and can be used to skirt IP address focused restrictions, such as those imposed by streaming media systems and television suppliers. There are a ton of these out there, but Hola is interesting for another reason.

That other reason is that it turns the client machine into “exit nodes” for a paid service offering by the company:

In May 2015, Hola came under criticism from 8chan founder Frederick Brennan after the site was reportedly attacked by exploiting the Hola network, as confirmed by Hola founder Ofer Vilenski. After Brennan emailed the company, Hola modified its FAQ to include a notice that its users are acting as exit nodes for paid users of Hola’s sister service Luminati. “Adios, Hola!”, a website created by nine security researchers and promoted across 8chan, states: “Hola is harmful to the internet as a whole, and to its users in particular. You might know it as a free VPN or “unblocker”, but in reality it operates like a poorly secured botnet – with serious consequences.”[23]

In this case, you may be getting a whole lot more than you bargained for when you grab and use this “free” VPN client. As always, your paranoia should vary and you should carefully monitor any new software or tools you download – since they may not play nice, be what you thought, or be outright malicious. 

I point this whole debacle out, just to remind you, “free” does not always mean without a cost. If you don’t see a product, you are likely THE PRODUCT… Just something to keep in mind as you wander the web… 

Until next time, stay safe out there!

Consumers are Changing their Minds about Data Breaches

Posted on by
Reply

Per this article in Fast Company, it now seems that some 72% of consumers expressed an impact in their perception of a retail brand following a breach announcement. However, only 12% actually stopped shopping at the breached stores.

This appears to be a rising tide in the mind of consumers, with an increase in both attention and action versus previous polls.

Add to that the feelings of fatigue that we have been following on social media when breaches are announced. TigerTrax often identifies trending terms of frustration around breach announcements, and even some outright hostility toward brands with a breach. Not surprising, given the media hype cycle today.

TigerTrax also found that a high percentage of consumers were concerned to a larger extent about information privacy than in the past. Trending terms often include “opt out”, “delete my data” and various other conversation points concerning the collection and sharing of consumer information by vendors.

Retailers and other service providers should pay careful attention to this rising tide of global concern. Soon, breaches, data theft and illicit data trafficking may show significant increases in consumer awareness and brand damage is very likely to follow…

How Cloud Computing Will Leak Into Your Enterprise

Posted on by
1

“Consumer use of the cloud”; in a phrase, is how the cloud will leak into your enterprise, whether you like it or not. Already, IT is struggling with how to manage the consumer use of devices and services in the enterprise. Skype/VoIP and WIFI were the warning shots, but the BlackBerry, iPhone, iPad and other consumer devices are the death nail for centralized IT (and IS) control.

Consumer electronics, backed by a wide array of free or low cost cloud services, are a new frontier for your organization. Services like MobileMe, DropBox, various file sharing tools and remote access services like GoToMyPC, et al. have arrived. Likely, they are in use in your environment today. Consumers use and leverage these services as a part of their increasingly de-centralized online life. Even with sites like Twitter and FaceBook growing in capability and attention, consumers grow their use, both personally and professionally of services “in the cloud”. Make no mistake, despite your controls at the corporate firewalls, consumers are using their mobile and pocket devices and a variety of these services. Unless you are searching them at the door and blocking cell phone use in your business, they are there.

This might not be “the cloud” that your server admins are worrying about. It might not represent all of the off-site system, database and other hosting tools they are focused on right now, but make no mistake, this consumer version of the cloud has all, if not more, of the same issues and concerns. Questions about your data is managed, secured and maintained all abound.

Given the “gadget posture” of most organizations and their user communities, this is not likely to be something that technical controls can adequately respond to. The consumer cloud services are too dynamic and widespread for black listing approaches to contain them. Plus, they obviously lack centralized choke points like in the old days of “network perimeter security”. The new solution, however, is familiar. Organizations must embrace policies and processes to cover these technologies and their issues. They also have to embrace education and awareness training around these topics with their user base. Those who think that denial and black listing can solve this problem are gravely mistaken. The backdoor cloud consumer movement into your organization is already present, strong and embedded. Teaching users to be focused on safe use of these services will hopefully reduce your risk, and theirs.