How Big a Risk are Geotagged Photos?

A friend showed me a video from a Missouri news station (from a newscast almost 3 years ago, mind you). In the video, the reporters discuss a "new threat" with "new technology."  While the video engages in the usual FUD (fear, uncertainty, and doubt) to oversell the risk, there is a nugget of truth that bears repeating.

Smartphones, tablets, and many standalone digital cameras have a GPS built-in, and can "geo-tag" photos with the location at which they were taken. This can make it easy to group photos by location (as in, group all my photos from the Grand Canyon, or from Disney World, or from Jamaica ... assuming I had vacationed at any of these places). But it makes it equally easy for someone else to do the same.

Turning a NAS into a Halfway Decent Media Server

A while back, I bought a Seagate “FreeAgent GoFlex Home” network-attached storage (NAS) device - essentially a hard drive with a network port that does not need to be connected to a computer. I had two goals in mind: my digital music collection had outgrown the old PC I use for that purpose, and backups of my various home PCs were a haphazard mess. I could have spent several hundred dollars on a new computer to serve this purpose, but I thought I'd try something new and try my luck with a ~$150 NAS device.

A Note for Code Developers

Today's post is very simple: if you are going to write code, don't embed privileged usernames and passwords in the code. And if you must hard-code a password, for crying out loud, don't store the code with passwords on a public code repository!

https://github.com/search?p=1&q=mysqldump+-p&ref=searchresults&type=Code

Nearly 10,000 examples of code on GitHub with the mysql database password written in cleartext in the code. Many of the code samples show a username of root ... might that also be the root account and password for the system itself?

Sure, many times an application needs to access a database and the end user doesn't need to have an account. But instead of coding the root password into the application, either use a limited account that only has read access, or better yet, handle account management on the server side. If the application runs in the context of a user with appropriate credentials, then there is never a need for the application to login, and thus no need to store usernames and passwords in the source code.

Disguised links

Previously I wrote about two new pen-test / social engineering tools (Pwnxy and Phishable). These tools simplify the "art" of deceiving an end user by presenting a legitimate-looking page (the page is in fact legitimate, but passed through a proxy that can change the content and intercept anything submitted - such as login credentials).

One comment from a reader was, can you tell if a link is safe by examining the URL? To some degree, yes you can tell by the actual URL whether the link is safe or not. When you hover over a link, typically the actual URL is displayed on the browser's status bar at the bottom of the screen. If the URL is myrealbank.com, it may be safe; if the URL is myevilproxy.com?site=myrealbank.com, that's a dead giveaway. Shortened URLs (t.co, bit.ly, etc) make this a bit more challenging, because the short URL masks a much longer string, and it's a bit inconvenient to check each long-form URL before following the link (though there are browser plug-ins that will expand the URL and show you the full link).

Pwnxy and Phishable - awesome tools with scary abusability

Penetration testing answers the question "can someone penetrate your defenses" before a hacker does the same.  In other words, when you put up a door on the Internet, someone somewhere is going to see if they can crawl in through an unlocked window instead of using the door as you intend.  Pen testing searches for that window, or back door, or subterranean tunnel, with the intention of finding and closing vulnerable surfaces before an attacker does it for you.

One facet of penetration testing is to focus on the person rather than the system - if I can get a person to give up their keys to the front door (their username and password, for example), then there is no need to search for a weak back door or unlocked window.  A common way to approach this is through phishing - often an email (or Facebook post) masquerading as communication from a trustworthy entity (say, a bank or a boss) asking for information, or directing the target to a web link.

Security Savvy Kids

My generation came of age as the Internet sprung on the scene ... we did not have the benefits nor threats of social media when we were teenagers. Our children are now growing up in a world where connectedness is ubiquitous.  My 13-year-old son just got his first personal laptop this week (as opposed to using a shared family computer), so much of what I have written over the last few years suddenly has a newfound relevance.  How do I protect him from malicious actors and his own youthful naivety, while at the same time teaching him to become a tech-savvy young adult? I don’t have all the answers yet (truthfully, I’ll never have all the answers), but here’s a sort of "stream-of-consciousness" stab at a starting point.

Practice Safe Charging

This is not exactly a new topic, but it is one that has gained a new round of publicity this week following some recent research.

How are most portable electronic devices charged? Through a USB cable. What else can USB be used for? Data storage (flash drives and external hard drives), peripheral devices (mice and keyboards), and more. What makes USB devices so convenient? They are generally plug-and-play, with software drivers built-in to the device and automatically loaded when you connect to a PC. Do you see a potential problem?

Two years ago, three researchers built a demonstration “charging kiosk” at DefCon, a massive hacker / computer security conference in Las Vegas. The charging kiosk did in fact provide electricity, but it also took advantage of the properties of USB to demonstrate access to data on the device (generally a smartphone, which could be a gold mine for an attacker). In the demonstration, the kiosk merely showed that it could access data, and then displayed a warning message to the user. A truly malicious charging station would not be nearly so kind.

This week, three researchers published a brief for a presentation they will deliver at Blackhat this summer. Their presentation will demonstrate installing malicious software onto a current-generation Apple device (off-the-shelf, not jailbroken, and without user interaction).

In the past couple of years, public USB charging stations have become increasingly common – at airports, in taxis, at bus stops. Certainly not every charging station is malicious - it is likely very few if any are - but this research shows how such conveniences can be abused for ill gain. As in all aspects of life, it pays to understand risk so we can take appropriate action (or consciously accept the risk).

There is a ridiculously simple way to minimize this particular risk. A standard USB cable (sometimes referred to as “Sync and Charge”) will both provide electricity and transfer data.  Inside the cable insulation are several tiny wires (the number varies according to the USB version). A visually-identical charge-only cable is missing the wires and/or pins that transfer data, so it is physically only capable of providing electricity. $5 or $10 for a charge-only cable is cheap insurance against this type of attack.

I look forward to the presentation to see other suggestions the team has.

Update December 4, 2015: Graham Cluley wrote about a related topic: many common devices in hospitals and other public facilities have USB ports, which might be tempting sources of power for a mobile device. These devices though serve important purposes, in many cases keeping patients alive. Plugging a phone or tablet in for a quick charge could unintentionally damage the equipment, leaving it inoperable the next time it is needed for a medical emergency.

A charge-only USB cord is great for charging from an untrusted charging kiosk, but an A/C wall adapter is the better bet if you need to charge and no dedicated charging port is available.