Wireless Keyboards are easily hacked

Wireless keyboards can be intercepted, very easily. This is something you should be aware of not only when purchasing new equipment but when using someone else’s computer. There’s no real defence against it either, other than using a wired keyboard.

Before I explain the risks let me point out which keyboards it does and doesn’t affect:

  • All keyboards using a 27MHz transmitter are at risk (which includes most of them)
  • Keyboards that advertise "wireless encryption" or "secure" features are also at risk
  • Bluetooth keyboards are safer (though these are generally more expensive)

typewriter The risks of such an "attack" should be obvious – other people within range could be recording every keystroke. This includes the address of websites you go to, usernames, passwords, the contents of emails, chat conversations, etc.

In a business environment this would be a critical breach of security. Giving away passwords, trade secrets, and other sensitive information is quite serious, and in a lot of cases criminally irresponsible. Wireless keyboards that fall into the "at risk" categories above should be banned.

At home the risks are just as serious. Anyone using a home computer to do internet banking should immediately recognise the dangers of giving away too much information (i.e. finding a large amount of money removed from your bank account). Again, either use a wired keyboard at home, a Bluetooth wireless keyboard (expensive), or limit the keyboard & computer’s use to trivial tasks such as gaming.

How does the attack work?

Well, it seems there are only 256 possible encryption codes, so hackers have cleverly written software that tries them all within seconds. Then there are other tricks they use to break the encryption that some keyboards use (for the IT savvy reader, it’s an XOR protocol).

So it takes about 20 to 50 keystrokes before enough information can be gathered to break the encryption.

How close does one need to be to "sniff" wireless keyboard signals? Usually it’s 4-8 feet, or 1-3 metres. But with more powerful aerials this can be extended much further (hundreds of metres).

Also keep in mind that Bluetooth generally isn’t a very security protocol. It’s only considered safer because of how easy it now is to hack normal wireless keyboards. But you shouldn’t use it to keep million dollar secrets.

There’s a video here demonstrating how it works (warning, it’s geeky and technical): Wireless keyboard hacking.

So go back to wired keyboards, they not only more reliable and more secure, they don’t have batteries that need replacing or recharging.

Chinese CyberSpying

Security Gate British businesses are being warned about Chinese industrial espionage aimed at retrieving financially sensitive data. In particular, at least 1000 businesses have been warned that they’ve potentially been targeted to obtain data on their trading with Chinese companies, in an attempt for the Chinese parties to negotiate higher prices in their business dealings. There’s an article here with the full story.

This post is aimed at businesses, whether large or small. Online espionage, or cyber spying, is a real threat. It doesn’t necessarily need to come from China either, the technology and skills exist in just about every city and country that’s connected to the internet.

Everyone needs to secure both their networks and the computers with it. The old belief that a firewall is enough has always been false, even more so now that data threats can come from so many levels (see the SANS document that was mentioned here earlier). It’s everyone’s responsibility to do everything within their power to increase security. The threats are out there, large amounts of (your) money are stake, and there’s always something you can do.

So now is a good time to review your network security and to improve it.

Bluetooth Headsets

Most Bluetooth headsets are not secure. I encourage everyone to watch the video linked below to see how easy they are to hack.

In this demonstration by Joshua Wright he connects to a stranger’s bluetooth headset and is able to eavesdrop on the random stranger. He also briefly shows how audio can also be sent to the headset. Anyone with a Bluetooth headset that’s currently on is at risk of something like this. The biggest part of the risk is that almost all Bluetooth headsets use a default PIN (usually 0000).

Watch the video here.

Collecting Passwords

This statement from Bruce Schneier is interesting,

How to harvest passwords: Just put up a password strength meter and encourage people to submit their passwords for testing. You might want to collect names and e-mail addresses, too.

It points out how easy it is for someone to collect passwords. A couple of human weaknesses are at play here:

  • People tend to trust programs they come across on the internet (and websites and services) . More-so if it looks new and shiny.
  • People tend to use the same password on multiple sites.

The internet’s a very dynamic environment, and with the rise of Web 2.0 we have lots of interesting new sites appearing daily. Most of them ask us to register, to provide a username and a password.

And behind every interesting new site are people (the programmers). Most of the time their intentions are honourable, providing an application online (and often for free). But what if a website’s intentions are more devious? What happens when you register an account and type in a (new) password? Usually it gets encrypted and stored in a database. It would be a simple task for the programmer to change the code and get it to store your password in some other way. And if people continue to use one or two password for all sites this information becomes a little more valuable.

In other words it would be easy for the programmer of any new and interesting web site to collect user names, email addresses, and your favourite passwords.

So always be cautious of where you type your password, it can be a valuable thing.

Don’t always trust websites. There are a few exceptions – Google for example does an excellent job with their users’ security.

And whenever possible don’t reuse important passwords on websites you don’t trust.

Keep critical software up to date

Some programs you use are critical to the safe use of your computer, and it’s important to keep these patched.

In this article critical software is the collection of programs (both visible and those that run in the background) that transport information from a web server to your screen. It’s the chain of data flow that you use the most often when using the internet.

You have your operating system (e.g. Windows, MacOS, Linux), a web browser, and a stack of drivers that basically make the internet work for you. This is a simplified model, most people’s computers will be unique and full of all sorts of programs.

Because information is flowing along this chain of programs, data being handed off from the operating system to the web browser, every link in the chain is critical. And like the old mantra, the price of security is eternal vigilance. In this case we’re looking at the eternal task of patching your software.

Patches are released by software vendors, whether it’s a free open source program or from a commercial software company. Patches are written because the programmers are always fixing bugs, in particular they’re always fixing security vulnerabilities as they are discovered. It’s a way of strengthening each of the links in your data chain.

The point of this article is that you should always update the following:

  • Patch your operating system (Windows, Mac OS, Linux, etc). Yes there’s a risk in being the first to install a patch, it might break something. Large companies have long complicated procedures to test patches before installing them. Small companies and home users need to take the risk and apply the patch blindly, trusting the vendor. It’s a choice between having the most secure computer possible or waiting to see if a patch is released by mistake. My advice is to take the secure option and make regular backups of all your data (backups would be a good topic for a future article). Most operating systems these days have automated patching systems in place making this simple and often a transparent process.
  • Patch your web browser. All web browsers need to be patched – Microsoft Internet Explorer (IE), FireFox, Opera, Safari, etc. Apply patches as soon as they’re released. Today a web browser is the most vulnerable program on a computer, it gets used to run code that other people write. Code that comes from all corners of the world and is almost always not certified in any way and there’s almost no way of trusting the code. Your web browser will execute it blindly, trusting that it’s safe and you trust that all other programs on your computer (including the operating system) will handle the attacks in a graceful way. Web browsers will be attacked, this is almost a certainty these days. So you need to very latest version that hopefully has had every known vulnerability fixed.
  • Patch your antivirus software. This is often automatic, and it’s often a paid service. Antivirus companies spend a lot of time and money keeping their tools up to date and it’s in your best interest to use their technology. Consider it a good investment, it could cost you thousands of dollars if your system is compromised.
  • Sometimes routers will have to be patched as well. This is a little more advanced and you should only do it if you’re comfortable working with your router.
  • Personal firewalls should also be patched. If your antivirus software includes a [personal] firewall then it’ll be patched automatically, otherwise it’s a separate process.

Chain and padlockAll software that uses the internet in any way, including the various video and music players, needs to be kept up to date. Web browsers and operating systems are the most critical and should be patched the most often. The time and effort you spend is the price you pay for having a safe computer.

A QuickTime Flaw

Here’s a new vulnerability in Apple’s QuickTime program, discovered just recently (and published today). A computer can become vulnerable if the following events happen:

  • You have Quicktime version 7.x installed (any version beginning with 7.)
  • Your computer uses Windows XP or Windows Vista
  • You use FireFox for web browsing (IE 6, 7, and Safari are safe from this vulnerability for the now)
  • QuickTime is your default media player
  • You visit a site hosting a malicious video file that takes advantage of this exploit.

Chances are you don’t meet all of the above criteria, but since there are so many computers on the internet now there would still be a large number of people who do.

The damage from this could be anything for now. Since the exploit has been published malicious hackers all over the world are probably busy writing viruses and trojans to take advantage of it.

So when Apple releases an update be sure to install it. And if you use a good antivirus package it won’t be long until they release a new update (this is why it’s important to keep your antivirus program updated).

Details have been published here.

Virtual Visa Cards

This concept isn’t new, it’s just becoming more easily available. It’s like a prepaid credit card, and the idea is that if it gets lost or stolen there’s only so much credit that can be stolen. It’s not linked to any of your usual bank or credit cards. It could also be considered a disposable credit card. (And the term debit would be more accurate than credit).

In Australia there’s now a new credit card that works in this way called V-Card. It carries the Visa logo and can be used just like any other Visa credit card, only that you can put any value you want into it before you start spending.

Since the whole idea is to avoid online fraud you probably wouldn’t want to buy one online. They’re going to be available at real shops (Mobil/Quix for now), you then activate it online and they send you the security details by email or SMS to make you feel more secure. There’s a $5.50 setup fee on top of the credit.

It’s a good idea for many people, especially those who have avoided online shopping till now. It could also be useful when travelling overseas (so many travellers return with stories of how their credit card details were stolen).

Details here.

The Need For Strong Passwords

Combination LockPasswords have been an everyday part of life with computers, and they won’t be replaced any time soon. It’s a form of authentication, granting you access to a system or service.

When security is based on passwords two pieces of information are required:

1. A username
2. A password

Often it’s not difficult to guess a username. Some computers keep this information easily available to anyone who cares to look, and other times it’s just a matter of guessing.

Passwords are more difficult. The “strength” of a password is critical to keeping out unauthorised people. “Strength” is a measure of how easily it can be guessed. And if you’re wondering who really sits there trying to guess passwords you’re in for a surprise.

Passwords can be made stronger by using a combination of the following tips:

  • Make your password long. Tip: join 2 or 3 words together
  • Have at least one letter in uppercase
  • Don’t put a 1 at the end of your password (it doesn’t help at all)
  • Use a made-up word if you can think of one, or spell a real word incorrectly
  • Try not to use the same password on every website (more on this another day)

If you under the impression that no one will bother trying to guess your password then you’re definitely need to continue reading. Hackers don’t sit there trying to guess passwords (what could be more boring than that?). They write programs that do all the hard work of guessing programs. Then they maliciously install this program on other people’s computers (sometimes tens of thousands of hacked computers) to do lots of hard work for them. They just sit back and wait for the results to come in.

Protecting systems with passwords is a tough battle for the good guys (like you and me). As the progress of technology marches on we have faster computers which means hacking passwords becomes easier.

Now the really interesting part. There’s been some development on all this password guessing technology – where it used to take one computer months to crack a Windows Vista password, by utilising the untapped power of a modern computer’s graphics processor it’s now possible to do the same work with the same computer in 3 – 5 days. That’s 25 times faster just from some clever programming (see this article for the details on how).

So in the real world we have programs running on tens of thousands of computers, guessing billions of password combinations relentlessly, with the expectation that soon they’ll find all the easy ones.

So be smart about passwords. Make it very difficult to guess. And remember that there really are people out there trying to hack into your accounts so always be careful.

2 New Skype Related Warnings

There are two new warnings related to Skype today. In each case it’s not Skype that’s the problem, it’s just related to their service.

1. Some people have received a warning saying “Security Center has detected malware on your computer“. If you click on the links provided you’ll get a message telling you malware was found on your computer. It then asks you to pay money for an alleged program to clean it. If you see this, ignore it. It didn’t really scan your computer for viruses, and the money they ask for won’t really go towards anything good.

2. Some Skype users have received a message about finding a lost girl. Again this is a hoax and if you click on the links provided a web site will attempt to install a virus on your computer. Ignore it.

More details can be found at Skype’s security site.