So is that your PIN number?

In the spirit of Richard's post below on a little 'no tech hacking'; on a couple of occassions recently I've had friends wanting to show me photos taken on their iphones, and inadvertantly reveal some potentially quite damaging information.

To set the scene, you're discussing a subject (such as a holiday) and your friend says "want to see the photos?". Applying the in the affirmative, they whip out their phone and hold it up for you to see, hitting a button and entering their unlock PIN to begin showing you the photos.
It's at this stage I ask "so, is that number you just entered the same as your ATM-card PIN?"
Sheepish looks ensue as they mumble "....yes...." and I reply "you might want to change that...or lend me your ATM card!"

Now this certainly isn't an 'iphone-problem' as such, or I'd wager even a new problem. It is however exacerbated by the new touchscreen smartphones and their big friendly on-screen keypads that make it much easier to 'shoulder-surf' from greater distances and see the PIN number more easily as it is entered.
ATM card PIN numbers are a little unusual as for a lot of people they are one of the few 'enforced' passwords they use. By 'enforced' I mean they are passwords that are dictated and not chosen by the end user, they are often just a random (or semi-random) 4-digit string that was supplied by the bank.
Although these days you can often choose a PIN number while opening a new account, this wasn't always the case and many people have had the same PIN number for years, from card to card, keeping the one they've already memorized. After all we are often creatures of habit.

So when the new phone arrives and needs to be set up with a 4-digit PIN number, it seems not uncommon to grab the first available 4-digit number that you already have memorized - your ATM PIN (I'd wager birthdays or borth year are the other popular options) and off you go.

What's the risk? Well it's probably pretty low. I'm not really going to run off with my friend's ATM card, nor bother remembering their PIN number after seeing it initially. But low risk is not no risk and doing something as simple as scrambing or reversing your ATM PIN (if that must be the basis of your phone PIN) is better than using the same number.

A little research into PIN numbers brought up an interesting fact; the inventor of the ATM PIN, Brtion Mr Shepherd-Barron wanted to use a 6-digit number (based on his army number), but his wife said she could only remember 4-digits - so that became the world standard!*

And btw, yes I have an iphone and no my PIN is not the same as my ATM card! (nor any derivative thereof!)

*Except for Switzerland, where apparently 6-digits is the default....

Mirror Image

It's actually quite a while since I started this post but I think it shows interesting potential for a little no tech hacking...

Captain's log, stardate 2009.8:
A week or so back I took delivery of my shiny new Diners Club corporate card. I dutifully signed the card, activated it and stuck it in my wallet, I left the letter which it came wrapped in on my desk, nothing to worry about, right? After all, the important bit (the card) was safe and sound in my wallet with my signature on the back. In fact all the details necessary to use the card were actually on the letter, the card number, my name and the ccv had all rubbed off on the paper leaving an imprint that could be read with a little bit of guesswork.

What's particularly worrying me at this point is that I loaned Justin the letter to use for a demonstration and I haven't seen it since...

Profiling the Defenders

I recently came across quite an interesting paper from Dalhousie University in the US on the psychology of Information Security professionals called "profiling the defenders"[pdf]. While being admitedly limited in it's scope (they surveyed only 79 people), it nonetheless opens the door to an interesting and (afaik) not well-researched area of psychological analysis on the IT Security 'good guys'.
Typically the 'bad guys' are the ones being profiled, to better understand their motivation, to 'get into their heads' and therefore be able to second-guess them. There are plenty of courses [pdf] and certifications that are designed to help you 'think like a hacker', but how do the defenders think, and what needs to be changed over on the blue team to make them better?

Findings such as that IT Security Pros were 10 times more likely than the (US) average to be INTJ-type personalities is interesting/ Also that there was such a difference between IT Security Pros and law-enforcement personalities, who are largely ESTJ-type personalities -- a type that was not reflected in any of the surveyed IT Pros.

While I certainly have no background in Psychology (and parts of this paper are well over my head!), it is well worth a read for those interested and I'd like to see the results of a study done with a larger, more representative, survey group.

Some good further reading on different aspects of Psychology and Security is available here.

More Aurora

I was pointed to some more information on Aurora by a Uni classmate. HBGary have a slightly more in-depth threat review of Aurora here [pdf] and are offering a 'Aurora inoculation shot' with details here. The inoculation does not address the social engineering aspect of the attack, it is more of a scanner to tell if you're already infected and help clean the infected machine (which to me seems like more of an after-the-fact action than the name 'inoculation' implies).

One thing in the HBGary report is the CRC algorithm used is claimed to "indicate the malware package is of Chinese origin". This was originally announced by Joe Stewart and widely reported, but there has since been some dispute as to whether the CRC is a 'smoking gun' indicating China.

We may never know...

On a somewhat related topic (malware in general), I often use virustotal to scan 'suspect' files, but a colleage recently pointed me to a coupleof other sites that provide a similar service: and All three are worth investigating if you haven't seen them before.

"Aurora" attacks

iSec has published a brief report [pdf] into the widely-reported "Aurora" attacks on Google (and others) that allegedly orginated from the Chinese Government. The report provides an interesting insight into a recent sophisticated attack that I suspect few organizations would have been able to repel, and is well worth reading.

An important point from the end of the report is that the:
"...most interesting aspect of this incident is that a number of small to medium sized companies now join the ranks of major defense contractors, utilities and major software vendors as potential victims of extremely advanced attackers. This is concerning for many reasons, not the least of which is that even most Fortune-500 companies will not be able to assemble security teams with the diversity of skills necessary to respond to this type of incident."

Fraud Week

The Australasian Consumer Fraud Taskforce is running it's annual awareness campaign this week with the theme 'Online Offensive - Fighting Fraud Online'.

With identity theft often listed as the fastest growing crime, it's good to see the Government promoting awareness through sites such as scamwatch.

On a similar note, Bruce Schneier highlighted on his blog recently a facinating interview with a Nigerian Scammer that is well worth reading. It can be found here: part one, part two, part three.

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme