Don’t have nightmares

[As ever you can read this on the BBC News website. Or on any of the spamblogs that rip off my copy and use it as linkbait.]

Anyone concerned about the security of their computers and the data held on them might sleep a little uneasily tonight.

Over the past few weeks we’ve heard reports of serious vulnerabilities in wireless networking and chip and pin readers, and seen how web browsers could fall victim to ‘clickjacking’ and trick us into inadvertently visiting fake websites.

The longstanding fear that malicious software might start infecting our mobile phones was given a boost when the Information Security Center at US university Georgia Tech outlined how phone software could be hijacked to create ‘botnets’ and allow handsets to be remotely controlled.

And now a group of researchers at the Security and Cryptography Laboratory at Ecole Polytechnique Federale de Lausanne in Switzerland have shown that you can read what is typed on a keyboard from twenty metres away.

It takes some sophisticated equipment to do it, but with the right antennae and a bit of luck it seems you can detect the radio emissions coming from the wires that connect keyboards to computers and tell just what someone is typing.

Web addresses, usernames and passwords are all visible, as well as the content of letters, emails and Facebook updates.

These aren’t wireless keyboards, which are clearly vulnerable to snooping, but the good old USB or PS/2 keyboards we all use every day.

And even though the kit you need isn’t the sort of stuff that your average credit-card skimmer is going to have lying around their flat, it shows that there are many unexpected vulnerabilities to be discovered.

The researchers suspect that cheaper keyboards with poor shielding are to blame, so government departments and hospitals may have to find a better supplier if even more of our sensitive data is not to leak out.

This is a good example of how lack of foresight can lead to security problems when faster hardware catches up with the assumptions made by system designers, and it also lies behind the newly-emerged vulnerability that affects secure wireless networks.

Many encryption tools are susceptible to brute force attacks, for example, where a programme simply tries all the possible keys until it finds the right one. The developers believe that this will take too long for it to be useful, ideally some significant proportion of the age of the observable universe.

However the latest version of a password recovery tool from Elcomsoft takes advantage of the astonishing processing power of the latest range of Nvidia graphics processing units (GPUs) to crack both WPA and WPA2 wireless security in a matter of hours or even minutes, rendering most commercial wireless networks open to attack.

Since it was a wireless vulnerability that allowed criminals to break into the corporate network of TK Maxx’s parent company and steal details of forty-five million credit cards, this is a threat to be taken seriously.

A few years ago these problems would only have been reported in the computer trade press or in the technology sections of the more serious newspapers, where they were unlikely to bother the majority of network users.

Now they get more widespread attention and are often presented as marking an imminent internet apocalypse.

It is, of course, important that all net users appreciate the importance of protecting their computer and know how to avoid malicious websites, phishing scams and other attempts to subvert their online activities, but it can go too far.

Last week I gave a talk to a group of people in Blockley, Gloucestershire, where I was trying to persuade those who were somewhat sceptical about the usefulness of the internet in their lives that the network has opened up new and incredibly beneficial opportunities for sharing, interaction and education.

It was one of the increasingly rare occasions when I can lower the average age of those present by entering the room, and I wanted to convince those present that it was worth spending time online.

There was a lot of concern over inappropriate content and how we ensure that children are kept safe, but I also had to field questions about the security of online banking and how to protect computers from viruses and other malware.

These concerns are reasonable, but not if they stop people going online or using the net to the full. The dangers that face us, both the ones we know about already and the ones being discovered by security researchers every day, are not a reason to stay offline, they are a reason to be cautious when going online.

When Nick Ross presented Crimewatch on BBC television he would conclude his litany of tales of crime, violence and disorder by exhorting viewers not to have nightmares.

Perhaps we need something similar to accompany the growing number of warnings over net fraud, wireless security and broken encryption. It may be bad out there, but it isn’t quite broken.

Bill’s Links
Mobile botnets:
Clickjacking flaw fixed:
Insecure keyboards:
And a video:
Wireless keyboards cracked:
Wireless security broken:
TK-Maxx wireless broken:

2 Replies to “Don’t have nightmares”

  1. HOW DO YOU DO… NIGHTMARES

    So the best way in the 21st century to have nightmares is the thing you’re doing right bleeding now. Living is the number one cause of nightmares. So, to get the worst out of your brain’s sense of lurid greed, get a job in sales; some sort that involves lying to victims of say, domestic abuse. Don’t shy away, find out their awful details then make sure they’re left without heating in December because of some small print about differing payments not allowed, that you wrote in biro when they weren’t looking…

    …more at lifestyleguides.blogspot.com

Comments are closed.