Archive for the ‘Theft’ Category

New Year’s Resolution: Find Your Blind Spot!

Posted: January 1, 2018 by IntentionalPrivacy in Automobile hacking, Cell phone, Ethics, Issues, New Year's Resolutions, Privacy, Theft, Vulnerabilities
Tags: , , ,

Today is New Year’s Day, a day typically devoted to hangovers and making resolutions.

I recently saw a presentation about automotive computer forensics that made me think about New Year’s resolutions. In spite of my background in computer forensics, I had not considered that automotive computers were advanced enough to conduct forensic investigations on. I enjoyed the presentation and I seriously considered taking the class even though it would not advance my career in Texas.

But then the instructor ruined the class for me by doing two things.

The first was when the presenter—an instructor for a world-famous IT school—talked about driving his yellow muscle car at 65 MPH in a 15-MPH school zone and getting a ticket.

Does he use the ticket as an agent of change? Take his punishment? Learn to drive his car on a racetrack?

No, he was standing up there bragging about his yellow car and getting away with driving fast in a school zone. He is just like those rich-and-powerful gropers that have been lately in the news. They do it because they can and because they (at least used to) get away with it. I do not admire them and I do not admire him.

I appreciate that traffic tickets are expensive (particularly tickets in a school zone), that such a ticket would cause the recipient’s insurance rates to go through the roof, that such a driver might be required to attend traffic school, and that there might be other consequences. I understand the desire to avoid those consequences. I understand that he has a legal right to hire an attorney who will reschedule the court hearing until the police officer could not attend.

Since the police officer could not attend, the ticket was dismissed.

When he was talking about this experience, I was nodding right along with everyone else, but on the way home, I started thinking about what he said and who he is. This presenter possesses several certifications (such as a CISSP), many of which require the possessor to agree to abide by strict ethical standards. In fact, (ISC)2, the certifying body of the CISSP certification, issues just such a code of ethics. The relevant portion is listed below:

Code of Ethics Preamble:
  1. The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
  2. Therefore, strict adherence to this Code is a condition of certification.
Code of Ethics Canons:
  • Protect society, the common good, necessary public trust and confidence, and the infrastructure.
  • Act honorably, honestly, justly, responsibly, and legally.
  • Provide diligent and competent service to principles.
  • Advance and protect the profession.

Driving 50 miles above the speed limit obviously breaks several of those tenets (even though this situation was probably not what (ISC)2 had in mind). Another problem I have with his crazy driving is that this man appeared to be in his late sixties. Does he have the reflexes necessary to drive like this?

How far does a car going 65 mph travel before coming to a complete stop? According to Government-Fleet.com, “it takes the average driver from one-half to three-quarters of a second to perceive a need to hit the brakes, and another three-quarters of a second to move your (sic) foot from the gas to the brake pedal. Nacto.org states that “… if a street surface is dry, the average driver can safely decelerate an automobile or light truck with reasonably good tires at the rate of about 15 feet per second (FPS).” Let’s examine how that plays out.
Stopping65MPH
To put this in perspective, a football field is 300 feet long from goal post to goal post. A vehicle traveling 65 MPH (given average conditions) will take 396 feet to stop—more than the length of a football field!

The laws of physics apply to everyone. It does not matter how well you drive. If a six-year-old child steps in front of a vehicle traveling 65 MPH, he or she is dead. If the vehicle is traveling 15 MPH, the kid at least has a chance to learn a lesson.

The second thing he said that I had an issue with was when he was talking about how vehicle forensics is now appearing in court cases. As an example, he talked about a case in Texas where a minister regularly connected his phone to the car infotainment center over Bluetooth, which meant that things maintained on the phone such as contacts and photos are transferred to the car’s computer. He claimed that even if a picture is deleted from the phone, it stays on the vehicle computer. When the preacher took his car into the dealership for service, some of the dealership’s service people stole nude pictures of the clergyman’s wife from the car’s infotainment computer and posted them on a swingers’ site as a joke. One of the preacher’s parishioners told him about the pictures being posted. The clergyman and his wife were understandably upset about this and were suing the dealership.

Since I wanted to write an article for this blog about vehicle computer forensics and the amazing amount of information that can be obtained from an automobile’s computer systems, I looked for articles about that incident.

Except the articles I found about a Texas preacher whose wife’s nude pictures were posted on a swingers’ website had nothing whatsoever to do with the vehicle’s infotainment computer. The photos were stolen from the customer’s phone. When I realized that he had twisted the story to fit his theme, I was appalled.

What really happened: A preacher and his wife went to a Dallas Toyota dealership to buy a car. The minister had gotten a preapproval for the loan from an app on his phone. The salesman took the customer’s phone to show the manager the preapproval. While the salesman was out of sight, he found some nude pictures of the wife on the phone and emailed them to himself and the swingers’ site. Then erased the email. The couple were outraged—rightly so!—about this intrusion into their privacy and the theft of pictures of a “private moment.” They hired attorney Gloria Allred to sue Toyota, the Dallas dealership, and the car salesman. You can read more about it here.

A computer forensics professional is required to present the facts fairly and accurately. Given these two stories, would you trust this man to represent the facts fairly and accurately? Would you trust him to act ethically and honorably?

I am asking you to add these New Year’s resolutions to your list this year:

  1. Drive the speed limit. Drive as if it could be your child, your grandmother, or your dog in that crosswalk!
  2. Check the accuracy of your information before you give a presentation. Give citations, so that other people can verify your work. If I am in the audience, I will.
  3. Find your blind spot and change it to something positive.
  4. Do not allow anyone access to your phone, especially if that person is out of your sight.

Have a wonderful new year!

References

“Driver care: Know Your Stopping Distance,” http://www.government-fleet.com/content/driver-care-know-your-stopping-distance.aspx

“Vehicle Stopping Distance and Time,” https://nacto.org/docs/usdg/vehicle_stopping_distance_and_time_upenn.pdf

“Couple Sues Grapevine Car Dealership Claiming Salesman Shared Their Photos on a Swingers Site,” http://www.dallasobserver.com/news/couple-sues-grapevine-car-dealership-claiming-salesman-shared-their-photos-on-a-swingers-site-8957090

“Texas pastor claims Toyota car salesman stole his wife’s nude photos and emailed them to a swingers’ site,” http://www.dailymail.co.uk/news/article-3994292/Texas-pastor-claims-Toyota-car-salesman-stole-wife-s-nude-photos-emailed-swingers-site.html

Don’t forget physical security …

Posted: October 1, 2017 by IntentionalPrivacy in Identity theft, Personal safety, Social media, Theft
Tags: , , , ,

I belong to a neighborhood social media group. Recently, there has been post after post about vehicle and mail-box break-ins in our neighborhood. While avoiding all thefts is not possible, make it more difficult for thieves and maybe they will look for an easier target.

  • Keep your house and vehicle locked at all times.
  • Don’t leave anything – especially electronics and wallets or purses – in sight in your vehicles, remove documents with personal information – vehicle title/registration, loan paperwork, birth certificate, drivers license, passport, bills – from the vehicle.
  • Do not leave garage door openers or house keys, checks, checkbooks, or credit cards in your vehicle.
  • Keep your vehicle insurance in your wallet or purse.
  • A ring of identity thieves who broke into vehicles expressly to steal ID was busted in Dallas in April, story here:
    https://www.dallasnews.com/news/mesquite/2017/04/27/mesquite-thieves-unlocked-cars-became-keys-identity-theft
  • Especially don’t put expensive electronics in your trunk for long periods of time when parked in your driveway. You never know who’s watching you.

Also, your car insurance may not cover your losses if your auto was stolen or vandalized when it was unlocked.

The Texas Department of Motor Vehicles has a brochure you can download about how to protect yourself somewhat from auto theft at https://www.austintexas.gov/sites/default/files/files/Police/BRO_Atpa_120_WhereUR_EnglishFinal.pdf

Furthermore, try to collect your mail every afternoon or send your important mail to a post office or UPS box. You can also sign up for Informed Delivery by USPS at https://informeddelivery.usps.com/box/pages/intro/start.action – this email allows you to know if something is missing from your mailbox.

 

Getting creeped out by IoT …

Posted: August 8, 2017 by IntentionalPrivacy in IoT, Security or Privacy Initiatives, Theft
Tags: , , , , , , , ,

Common problems with IoT devices include their lack of privacy and security controls and their lack of transparency. “Transparency” in this case means that the end user knows and willingly agrees to how the device operates, especially on their home network.

I have recently been working on building a Raspberry Pi B+ home monitoring system. The Raspberry Pi is a handy little computer board geared to hobbyists or children learning to use computers; more than 12.5 million have been sold. Something that appalled me was the complete lack of discussion about securing the thing in the project plan I downloaded. Before you put any device on your home network, you should—at the very least!—change the default username and password (which for the Raspbian operating system is “pi” and “raspberry”).

Another example comes from the experience of a former co-worker who bought a new refrigerator, not knowing the refrigerator had network capabilities. The refrigerator tried to connect to her network. When she investigated further, the manufacturer said the network connection was used for troubleshooting maintenance issues and installing updates. What could possibly go wrong with a refrigerator that connects to a home network without the owner’s knowledge or consent? It probably has a hard-coded (unable to be changed) default username and password that a hacker could use to cause havoc with that refrigerator. For instance, maybe a hacker could shut the refrigerator off by connecting to it using the default username and password. Depending on when the owner realized that it was not working, an entire refrigerator worth of food could be spoiled. Or maybe they could override the water shutoff for the automatic ice maker, resulting in water all over the floor. It could also provide an entry point into the home network. Argh!

Then there’s the iRobot 900-series Roomba, which currently uses a camera and sensors to vacuum a home. It has mapping software that allows the robot to avoid objects in its path, know where it has already cleaned, return to the dock for recharging, and then pick up vacuuming where it left off. Handy!

According to Reuters, a new feature that iRobot is planning to introduce is sharable home maps. While mapping software could bring many benefits to a smart home—such as improved air flow, temperature regulation, and lighting—sharing such data publicly could be a mistake. Even if iRobot only shares with certain companies, what happens if one of those companies get breached? Could such a breach allow a thief access to download your home map to help them decide what to steal from your home?

Recordings from an Amazon Echo—which listens and records supposedly only conversations that have a keyword such as “Alexa” in them—have already been requested as evidence in an Arkansas murder court case.

There are some organizations that are currently claiming to be examining the security and privacy of IoT devices, which include:

  • AV-TEST Institute – you can check out their findings here.
  • I am the Cavalry – a grass-roots organization that looks at the computer security of medical devices, automobiles, home electronics, and public infrastructure here.
  • UL (formerly Underwriters Laboratory) has published UL 2900 ANSI Standard for Software Cybersecurity for Network-Connectable Products. Unfortunately, it costs between $225-250 for a copy of the standard and I cannot find any products that they have certified.

In the first session of the 115th Congress, Senators Warner, Gardner, Wyden, and Daines introduced the ‘‘Internet of Things (IoT) Cybersecurity Improvement Act of 2017.” While this act would currently only apply to IoT devices on government networks, hopefully most vendors would put the same security and privacy features in their consumer products. You can read a one-page summary of the bill here and a full version here.

Thank you Senators Warner, Gardner, Wyden, and Daines. Long overdue!

No security anywhere …

Posted: May 19, 2017 by IntentionalPrivacy in Conferences, Privacy, Theft, Vulnerabilities
Tags: , ,

I was at a conference yesterday. When I went to register, the computer system being used had a label with the username and password right next to the touchpad. There was a problem with my registration, so the conference sent me an email. It contained the names of three other people–unknown to me–at the conference.

Next, we went to the exhibits. The first trailer we went to was open and no one was there. On a table inside was an open, logged-in laptop and a cell phone. Who would have known if I had taken the laptop or phone, or worse, taken information from the laptop?

Pay attention to what you do. Always lock your laptop (press the Windows and L keys simultaneously) when you have to leave it with someone you trust and do not leave your belongings unattended in a vehicle, or at a conference, a restaurant, or a coffee shop.