Monday, April 15, 2013

The "Jerry Fletcher": who's watching? should you be paranoid ?

Conspiracy Theory 

Was the name of the movie that Mel Gibson played as a character named " Jerry Fletcher ".  The movie was a classic, & with great acting via Mel.  This brings up my rant about the internet and who's doing what with our data ?

We use the internet for everything from ; downloading movies, making calls, checking our emails, mobile device access,  etc....

  • Is this information really  keep safe and secured?

  • the persons and groups managing theses systems, "who are they, what's their background, are the security cautious" ?

  • Do we know who all  has access to our information?

  • Is their any way to  really find out ?

Okay so the above, is a  list of questions, everybody should be asking themselves. We live in a day and age, where we freely give any tom , dick & harry our information,  and we never think twice about what's really happening.

Take a personal life example of mine.  I'm enrolled in some type of ID watch program, due to a backup-tape, with my payroll data/information ( Name, SSN, Address, god only know what else ) was lost by IronMountain. Due to full disclosure, the former employeer had to notify me of the potential risk  & that my information could be out in the wind. Knowing IronMountain, the box with tapes in it,  probably fell off the truck :)

Here's another example, I did a network/security refresh for a major health organization less than 8 years ago. They had those big 30gal sensitive information  destruction collector containers, that you drop in notes, half-written applications, or other documents that contains sensitive info,  etc....


like one of these

The papers inside typically has some  types of  sensitive information on it such as ; DOB, SSN, your address,  county/state/county of birth, Driver-ID#, list of your doctors and any health questionnaire answers ( do you have AIDS/ herpes, are you pregnant, and when was your last bowel movement, etc.... ). They where very much surprised, when I demonstrate that a partial filled container could be compromised, and information easily retrieve from the entry slot. Now you have a medical building with multiple floors/wings, who has access by the midnight cleaner crew, snack vendor guy , building maintenance , and god only knows who else. And we do not have any ideals on their backgrounds, trustworthiness or criminal background. For all we know, Julie from the "office clean inc", could be making a few extra $$$.$$s by harvesting some ID information off a few spent & discarded applications.

What was scary about this, I went onsite thru the loading dock and found one of these containers sitting freely on the dock unsecured.

Okay so now let's look at some of the electronic examples. I worked in numerous outfit which made use of a secured email system (ironport,Macafee,etc ) and theses  outfits would have persons that would take a encrypted electronic file attachment, now send it thru a non-encrypted means or storage on a fileserver with no  filesystem encryption. So it was secured at one time & age, but now it's just been freed like a white dove at a wedding.

How about that WiFi hot-spot? Would you be surprise, if I told you some of my  earlier wifi interception activities that I did,  and  all by harvesting  user/password combos that I collected at borders book, using a wifi adapter and ettercap and/or dsniff.

These types of locations, deploy a wifi systems with no privacy between the associated clients, so anybody on the GUEST-WIFI, could see all other traffic. And if you had any device ( laptop, phone, ipad, etc...) that access any online systems & without any security, your password could be harvest.  The end users where dumb to this fact, or  had no knowledge of the systems & the exposure they where putting their selves at. So they had no clue, that the guy sitting 2 tables down ( me ) , could see and intercept their wifi transmissions, and harvest their online user details.

For a demo, I stole a few  passwords from a guy that had a iphone email account setup to use POP3. Once I had his username/passswords, I could now access his email account and retrieve his personal emails. One guy I did this to, was an insurance salesman. So most of his email had homeowners applications for insurance policies. These forms listed everything from their address, place of employment, any active alarm monitoring systems installed, & down to their annual income.

I bet he  ( the salesman ) didn't know that I had his this access, and nor did his clients. If they would have found out they would have been ;

and then 

Here's another example, at the same wifi hotspot, I intercepted a lady who, I will call her ( and no that's a made up name :) ), she was accessing her email in the clear. The same username and password that she used for email at her mail account, was the  same password for ; ebay, paypal, and her online banking.

Yes , charlie123 did not change her username/login, and used the exact same  logins for the above and probably even more.

Okay are you scared now ?

Last example, a colleague of mine order his baseball tickets from a online ticket broker, using his SIP/VoIP access. He gave his credit card#, ccv#, billing address, and other information to a person over a unsecured means, and  thru the internet at that. All in order to get our baseball tickets at $44.00.

Okay, so now let's think about this.

  • be careful of the external systems you use 
  • ensure that any passwords you use, are unique  &  for the various systems that you access
  • try to limit the information present to these systems
  • review your own security posture & procedures
  • try to manage a smaller digital foot-print  ( I got rid of 90% of my social online access in just the last 3 years  alone )
  • eliminate cookies within your browser
  • eliminate or erase your browser history or use some type of safe-browse
  • configured your browser to only support strong cipher_suites
  • validate all sites urls ( just don't click on  them in the link )
  • validate all sites certificates
  • don't fill out those stupid "write your email down here" or mailing list
  • if you have to  use a wifi hotspot that open  & with no security, vpn back into a secured network & ensure split-tunnel is off.
btw:  I host vpn gateways just for this purpose, to allow for roadwarriors to gain access to internet via a more secured channel 

I host anonymous mail aliases for individuals who wants to cut down on spam'd email.

 and lastly;   stay off the internet 

( the best advice  that I can offer)

Yes, if you don't use the internet for your access, than your information,  would not be exposed. But you still have the other concerns as given in the start of this blog. You can't trust any body with keeping your information secured. So don't trust anything or anybody, with security of your information.

Ken Felix
Freelance Network/Security Engineer
kfelix -a-t- hyperfeed -d-o-t com

No comments:

Post a Comment