Jun 29, 2007 (08:06 AM EDT)
Loss of Innocence
Read the Original Article at InformationWeek
8:00 AM -- It was comforting, even reassuring, that there was a world out there where everyday folk were mostly insulated from the security worries that we on the front lines obsess and debate about every day. Sure, we've gotten Grandma to update and run her antivirus regularly and watch her credit-card bills for anomalies, and we've educated the kids about the risks of social networking and downloading music off Limewire. They may still be fresh meat for botnet herders, but they aren't losing sleep at night over cross-site scripting (XSS) and data leakage.
So what's this world coming to when even truck drivers -- as in their 18-wheelers -- can get hacked? These guys are sleep-deprived enough without having to worry about their RFID-based electronic product code (EPC)-based load of plasma TVs getting hacked in a drive-by, which researchers have shown is easily doable with off-the-shelf, standard EPC Generation 2 readers and antennas. (See Hacking Truckers.) It could make them an easy mark for criminals as well as for a competitor sniffing around for shipping intelligence.
Consumers are getting savvier about detecting phishing emails, but there's not much they can do if there's a "man in the browser," where an attacker intercepts and manipulates an online banking customer's transactions, to hijack their accounts or identities. (See Killing That 'Man in the Browser'.)
And the so-called sleeping giant vulnerability, cross-site request forgery (CSRF), is slowly emerging from his slumber. The bug has been detected in the products of eight security vendors, including Check Point, which this week patched the bug in its Safe@Office Unified Threat Management device. (See CSRF Bug Runs Rampant.) Seven more vendors have CSRF-vulnerable products, but thanks to responsible disclosure, they remain anonymous until they decide to patch.
Besides the fact that the bug is in security products, which we rely on to protect us, even more scary is it's in most everything with a Web-based interface, including your home printer, firewall, DSL router, and IP phone. Plus it's tough to detect, much less mitigate.
Meanwhile, enterprises are questioning the old standby, encryption. U.S. Trust's business information security officer says encryption can be overkill in some situations because criminals are more likely to go after the low-hanging fruit, the endpoint, by sliding in a keylogger, or sending out a phishing email -- rather than going after an encrypted file. (See Users: Encryption No Silver Bullet.) An employee gone bad could lift an encrypted file merely by taking a digital photo of it, pointed out another speaker on a user panel on enterprise data protection, which was held in New York this week.
Then there's Grandma, who's now attending Black Hat USA, the famous hacker conference held in Las Vegas. And she's not there to play the one-armed bandits, either: Researcher Dan Kaminsky, who is best known for his Black Ops talks at Black Hat and his work on Microsoft Windows Vista security, proudly notes that his 80-something grandmother -- who basically bankrolled his first Black Hat trip to Vegas after his college graduation -- regularly goes to the hacker show because "it's interesting." And she likes listening to her grandson chat about his latest research, especially when he uses "pretty" graphics in his presentations. (See Black Ops & Grandma.)
What happened to getting away from it all, over the river and through the woods to grandmother's house? Blame it on the man who jumped between Grandma's browser and her online bank account.
Kelly Jackson Higgins, Senior Editor, Dark Reading