Home / Blogs

The Growing Security Concerns… Don't Have Nightmares

Bill Thompson

Anyone concerned about the security of their computers and the data held on them might sleep a little uneasily tonight.

Over the past few weeks we've heard reports of serious vulnerabilities in wireless networking and chip and pin readers, and seen how web browsers could fall victim to 'clickjacking' and trick us into inadvertently visiting fake websites.

The longstanding fear that malicious software might start infecting our mobile phones was given a boost when the Information Security Center at US university Georgia Tech outlined how phone software could be hijacked to create 'botnets' and allow handsets to be remotely controlled.

And now a group of researchers at the Security and Cryptography Laboratory at Ecole Polytechnique Federale de Lausanne in Switzerland have shown that you can read what is typed on a keyboard from twenty metres away (also a related video).

It takes some sophisticated equipment to do it, but with the right antennae and a bit of luck it seems you can detect the radio emissions coming from the wires that connect keyboards to computers and tell just what someone is typing.

Web addresses, usernames and passwords are all visible, as well as the content of letters, emails and Facebook updates.

These aren't wireless keyboards, which are clearly vulnerable to snooping, but the good old USB or PS/2 keyboards we all use every day.

And even though the kit you need isn't the sort of stuff that your average credit-card skimmer is going to have lying around their flat, it shows that there are many unexpected vulnerabilities to be discovered.

The researchers suspect that cheaper keyboards with poor shielding are to blame, so government departments and hospitals may have to find a better supplier if even more of our sensitive data is not to leak out.

This is a good example of how lack of foresight can lead to security problems when faster hardware catches up with the assumptions made by system designers, and it also lies behind the newly-emerged vulnerability that affects secure wireless networks.

Many encryption tools are susceptible to brute force attacks, for example, where a program simply tries all the possible keys until it finds the right one. The developers believe that this will take too long for it to be useful, ideally some significant proportion of the age of the observable universe.

However the latest version of a password recovery tool from Elcomsoft takes advantage of the astonishing processing power of the latest range of Nvidia graphics processing units (GPUs) to crack both WPA and WPA2 wireless security in a matter of hours or even minutes, rendering most commercial wireless networks open to attack.

Since it was a wireless vulnerability that allowed criminals to break into the corporate network of TK Maxx's parent company and steal details of forty-five million credit cards, this is a threat to be taken seriously.

A few years ago these problems would only have been reported in the computer trade press or in the technology sections of the more serious newspapers, where they were unlikely to bother the majority of network users.

Now they get more widespread attention and are often presented as marking an imminent internet apocalypse.

It is, of course, important that all net users appreciate the importance of protecting their computer and know how to avoid malicious websites, phishing scams and other attempts to subvert their online activities, but it can go too far.

Last week I gave a talk to a group of people in Blockley, Gloucestershire, where I was trying to persuade those who were somewhat skeptical about the usefulness of the Internet in their lives that the network has opened up new and incredibly beneficial opportunities for sharing, interaction and education.

It was one of the increasingly rare occasions when I can lower the average age of those present by entering the room, and I wanted to convince those present that it was worth spending time online.

There was a lot of concern over inappropriate content and how we ensure that children are kept safe, but I also had to field questions about the security of online banking and how to protect computers from viruses and other malware.

These concerns are reasonable, but not if they stop people going online or using the net to the full. The dangers that face us, both the ones we know about already and the ones being discovered by security researchers every day, are not a reason to stay offline, they are a reason to be cautious when going online.

When Nick Ross presented Crimewatch on BBC television he would conclude his litany of tales of crime, violence and disorder by exhorting viewers not to have nightmares.

Perhaps we need something similar to accompany the growing number of warnings over net fraud, wireless security and broken encryption. It may be bad out there, but it isn't quite broken.

By Bill Thompson, Journalist, Commentator and Technology Critic. More blog posts from Bill Thompson can also be read here.

Related topics: Malware, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

Smokescreening: Data Theft Makes DDoS More Dangerous

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

Why Managed DNS Means Secure DNS

Rodney Joffe on Why DNS Has Become a Favorite Attack Vector

Motivated to Solve Problems at Verisign

Diversity, Openness and vBSDcon 2013

Neustar's Proposal for New gTLD Collision Risk Mitigation

IT Project Management: Best Practices in Small-Scale Engagements

Sponsored Topics