Credit Card Security

I recently had a miserable experience with credit card fraud and am not looking forward to having more high tech credit cards in my pocket as a result. I was pumping gas at a Chevron station in East Palo Alto. All seemed rather benign and safe. I swiped my credit card in the embedded machine in the pump. It asked me for the usual zip code info, approved and on I went with pumping the gas. I finished, took my receipt and drove off. About an hour later I get an email from Barclays Bank who handles the Virgin America VISA card (really cool looking card) stating that I had possible fraud activity on my card. I checked it online and noticed that there were two charges at that same Chevron station: my first legitimate one and another larger, fraudulent one for $120. I promptly cancelled it and the Barclays Bank folks were really good on the phone.

I asked around with several friends as to how this might possibly have happened. It’s not definitive but it’s theorized that there was someone at the gas station with a wireless device that somehow had activated the embedded chip in my credit card and somehow got access to information that obviously made them capable of a making a fraudulent charge on the card. Another possibility is that the gas pump somehow could have gotten hacked or intruded upon allowing access to be gained to the cards that get swiped through it.

So there are many credit cards with the embedded chips in them for contactless payments with the terminals at several merchants. Are we headed full speed ahead into a brick wall of a security hole with this embedded technology? What else is at risk?

  • Our healthcare with smart tags or cards that carry our health information?
  • Our passports with the new smart chips in them?

Will the move to using our smartphones or cellphones be safer for doing payments and commerce?

Advertisements

Wireless is for the birds

From my colleague and co-chair of the Wireless Communications Alliance Cognitive Radio Special Interest Group (WCA CR SIG…whew!), Lloyd Nirenberg, I thought this picture was funny and cool, and still somewhat accurate about the “black magic” that is wireless technology. Wireless is for the birds.png

And yet wireless technologies are permeating themselves into EVERY single facet of our lives. Here is a list representative of my Life, Connected (certainly not an exhaustive or representative list of other people but probably close).

  • iPhone (3G, Bluetooth, WiFi)
  • iPad (3G, Bluetooth, WiFi)
  • Laptop (Bluetooth, WiFi)
  • Mobile broadband card (3G)
  • Smart meter (Zigbee)
  • Toyota SUV (Bluetooth)
  • Playstation3 (WiFi)
  • Nintendo Wii (WiFi)
  • Apple TV (WiFi)
  • Cordless home phone (900MHz DECT)
  • Canon camera (WiFi with internal EyeFi SD card)
  • iMac (WiFi)
  • Scuba integrated air computer (some wireless tech between tank transceiver and wristmount computer
  • Samsung TV (WiFi)

And I think that’s just the beginning. There will be appliances that will be connected to networks to manage their energy consumption. Lighting control systems that will be connected and controlled over IP networks to manage energy consumption based on thousands and millions of sensors also connected telling the lighting control system where the people are. People themselves will be connected everywhere they go (home, work, everywhere in-between) when they go running, go out to eat (READ: foursquare++ :), sit at home watching a show on Netflix, wondering what they’re kids are doing, checking up on elderly parents, on and on.

Where do you think this whole wireless thing is going? And hopefully not the birds… šŸ™‚

What’s Next on the Grid (Healthcare Edition)

There is a lot of activity in the Smart Grid space these days, particularly in the buildout of the infrastructure necessary to get going on at the least the initial vision of the Smart Grid whereby utilities will monitor home and commercial building energy consumption to optimize the generation and distribution of energy during times less stressful on the same generation sources, distribution networks, and ultimately pocketbooks of those purchasing the energy. However what is beyond the infrastructure and what are truly new services that can overlay or be completely new experiences for the end users and monetization opportunities for the service providers, which may include the utilities but not be exclusive to them? I argue that these new services need to be thought of in terms of the target “consumers” of the services and new lifestyle attributes created from these services. As the first in the What’s Next on the Grid series, this article will discuss at a high level how Healthcare is one of these many new services and lifestyle impacts that the Smart Grid++ will create.

What do Healthcare and the Smart Grid have in relation to each other, apart from the fact that the same end consumers of the Smart Grid services are all human beings (Ed.: machine-to-machine applications on the grid notwithstanding) that need to lead healthy lives? At first glance, pretty much nothing in common. However let’s look at a few characteristics that the two have in common.

  1. Both use wireless technologies. In Smart Grid, AMI is implementing Zigbee and Home Area Networks (HANs) are implementing several wireless technologies such as WiFi. In Healthcare, hospitals and clinics are implementing WiFi for voice and data communications (and other proprietary wireless) and the Healthcare vertical has been an early adopter of wireless technologies due to complexities with running wired infrastructure for connected devices.
  2. Both are connecting their devices. Meters, appliances, thermostats and TVs connected to a network is the first step to monitoring their energy consumption. Similarly connecting X-ray machines, home dialysis machines, medicine carts, patient tracking badges and in-home heartrate monitors are the first steps to creating anywhere, anytime patient monitoring.
  3. Both see mobile devices and technologies as game changers. Whether it is iPhones, iPads or other mobile Internet devices and displays, remote and on-the-go manageability is an absolute need for doctors, nurses, building managers, or utility operations personnel. We’re seeing the traditional closed NOC center become more and more distributed as mobile becomes pervasive.
  4. Both are seeing significant innovations in the cloud. This dimension is more of a When and not If it will happen. But also How it will happen. Scalability and reliability of the cloud has been proven time and time again. However both Smart Grid and Healthcare have requirements for privacy of consumer/patient information, massive data management of petabytes and exabytes of detailed data (real-time energy consumption data from dozens of devices in a home to large MRI and other diagnostic imaging data from radiology departments), and strict regulations of who can access this data.

Rather than looking at each of the above dimensions individually and in a vacuum of minutiae, let’s look at them from a couple of fictional usage scenarios centered around how they benefit the lifestyles and livelihoods of the users. Fictional only in that I’ve not heard they’ve been actually implemented but technically very feasible.

I’ve Fallen and I Can’t Get Up

Babyboomers are the largest new segment of the population entering their “golden years” but with both financial capability and a desire for wellness not just visit their doctors when they catch a bug. Many are staying proactively healthy with exercise, activities and good dietary habits. Imagine their stationary bicycles and Stairmasters connected to a converged wellness management system that also gives them suggestions or implements automated rules that reduce their energy spending. The stationary bicycles send their physicians and dietitians real-time and historical information of how they’re exercise program is going, their heartrate range from at-rest to peak performance, weight, etc. If the users also included some anaerobic cardio such as swimming in their programs, wouldn’t it be nice if the pool heater and pool pump energy consumption were activated according to the people’s schedules? If there were changes to the schedule, they can enter the new schedule via their mobile smartphones or simply via their locations the schedules can be altered.

Code Blue in Room 305

There are many critical systems within a hospital environment such as the intensive care wards, radiology departments, patient and asset tracking systems, access to medical records and so forth. Some, but not all, hospitals have backup generators to weather through power outages but the rise of renewables such as solar and other alternatives could make the hospital environment its own micro-grid with these various power source subsystems that can be tapped and utilized in optimal times and conditions. However a holistic view of all the critical systems WITH the available alternate power subsystems implemented in a Critical Intelligence and Rules service ensures that all of the patient care and hospital management systems are available at all times in the most efficient manner. The MRI machines draw a lot of power so they wouldn’t necessarily be switched to a battery bank while the 900 MHz Asset HAN can easily operate on duty cycles conducive to drawing from the batteries during peak tariff periods.

Check On Grandma

Many of us having aging parents and grandparents who we’d like to be able to check on from time to time, given our very active lives with traveling, taking care of kids or running companies. In comes the mobile phone as the portal to many of these personal facets of our lives. I can see to ensure the temperature is comfy for Grandma in Miami because there happens to be a major cold chill sweeping through the area and she doesn’t know how to work that new programmable thermostat the utility installed. At the same time I can see that she’s up to date on her heart medication because she’s been taking the pills at the same times every day (RFID on the pill container with an integrated alert) and her in-home heart check monitor is giving me a green indication stating all is well. I’m on vacation in Europe with the kids so I sleep much better knowing this. We’ll give her a call tomorrow after the gondola ride.

Summary

There are no lack of opportunities where the Smart Grid is more than just a grid for distributing energy at the right time of day. The ultimate uptake by consumers will be in the many layered ways they perceive these services touch and improve their lives. Some parts will be slower than others but beyond the infrastructure, the services need to be developed in a very user and customer-centric manner if they are to make good business sense as well.

Mobile Hacking Tool…that you can’t see

Amid all the recent buzz on iPhone 3.0 SMS vulnerability and other security concerns around the iPhone, one of the scarier stories revolves around the iPod Touch and how to turn it into a mobile penetration test tool.

The article dated August 5th in Dark Reading, describes the notion of “weaponizing” the iPod Touch. The weaponization according to Thomas Wilhelm from Colorado Technical University, “The iPhone Touch can also perform ARP spoofing and force nodes to use it as a gateway. “The coolest thing with the iPod Touch is that it can tell every computer in the network that it’s the gateway, and that when you talk to Google, you have to go through it,” Wilhelm says. “Then it captures all of the packets that go across the network.”” Why the iPod Touch? Because it’s small and can be carried into ANY facility without anyone knowing it.

Furthermore, it can be installed in stealth with some Home Depot parts that Wilhelm instrumented to give it infinite power, “It’s basically an electric box with an empty faceplate affixed to a wall to hide the iPod, which is plugged into the wall outlet.”

How do you solve this problem? Because the iPod Touch must connect wirelessly to the network, it will be transmitting so can be detected and located by a WIDLS (Wireless Intrusion Detection and Location System) like AirPatrol.

What if this were the iPhone instead of the iPod? Then any vulnerability scans can be immediately offloaded over the 3G network, undetected by ANY of the WIDS systems available in the market today unless it could also detect and locate cellular signals as well. Again, see AirPatrol.

Mobility Paradise or Cyber-Apocalypse?

A couple of very interesting articles made e-headlines last week. NextGov’s article titled Cell phones, other wireless devices next big cybersecurity targets, and GovInfoSecurity’s article titled (very appropriately, if I do say so) Tsunami of Insecurity: Safeguarding Mobile Devices brought to light what I’ve been saying for several months now…mobile devices will be the next generation of cyberthreats and cyberattack targets in a magnitude never before experienced in the information or Internet ages!!!

According to Seymour Goodman, professor of international affairs and computing at Georgia Institute of Technology, “Concern over the vulnerabilities has increased as more users worldwide shift to mobile devices in favor of desktop and laptop computers. More than 3.5 billion cell phones are now in use, vastly outnumbering traditional Internet users”.

Let’s do the math (these forecasts are per IDS, Gartner, and other analysts):
– About 150,000,000 new laptops and netbooks are forecasted for sale in just 2009.
– About 1,400,000,000 new mobile devices are forecasted for sale in just 2009.
– Approximately 20% of the new mobile devices are smartphone-class devices with powerful processors, operating systems, memory, and ALWAYS CONNECTED.
– So…there are almost twice as many smartphone-class mobile devices flooding the market this year than all the laptops!
– And yet the remaining 1,120,000,000 mobile devices are still quite capable of capturing pictures, storing megabytes and gigabytes of data, and recording audio quite easily.

Alan Paller, director of research at the security SANS Institute, a cybersecurity research and education group in Bethesda, Md., said mobile devices could become a target for hackers, although computer networks remain the subject for traditional cyberattacks. “It’s true that we all carry these devices, and I see a rapidly increasing number of attacks against these devices, particularly to make them zombies to complement the PC bots,” which spam or send viruses to other computers on the Internet, he said.

With the botnet dream-state of billions of mobile devices making themselves available to new, yet-to-be-discovered forms of malware, the scenario whereby no network or data is safe is rapidly becoming a reality. The only question is:

What are we going to do about it?

Wireless Hacking and Intrusions

Lay’s potato chips has nothing on this Pringle’s can used for directionally aiming a wireless receiver towards a wireless network, thereby extending the range of the receiver. I’ve tried this in the past and it actually works. No, I didn’t hack a network, just wanted to see if it would actually work. Which is what I believe to be most of the attempts, but you just never know these days with desperation kicking in to high gear with corporate espionage, insider trading, or other less-than-noble attempts at making a fast buck or skirting regulations. Check out the video on YouTube.

Pringle’s tube wireless hacking

Here’s also another interesting YouTube video on a somewhat detailed procedure of how to “read” the 128-bit AES encryption key for a wireless network over-the-air. I should provide the usual disclaimer that neither myself nor my company condone the use of such techniques for any purpose.

Wireless WEP Key Hacking

Victory for Obama…Again!

So it seems that the Prez has won the battle of keeping his Blackberry. He says it’s not up and running yet, but I imagine that there is some imaginative thinking going on with regards to how to secure it beyond anything the US Secret Service, the White House staff, and of course, Research In Motion have ever had to deal with.

What are some of the most critical characteristics of a mobile device that open up security issues for the President? Of all of the issues, location of the device in the carrier RAN and HLR are of particular noteworthiness. If there is one thing that I would not want any unscrupulous characters knowing is the real-time location of my new President!

But having some very recent experience as Hewlett-Packard’s Mobile & Wireless CTO, there are a number of features that most of the enterprise-class mobile email devices implement. Remote lock and wipe, enforced password policies, mobile VPN/encryption, two-factor authentication, etc. According to the article on CBCNews from Canada there is speculation as to whether the actual device is a Blackberry irrespective of Blackberry being used throughout the US and other government agencies. “There has been speculation from security analysts that the device Obama will use would be one already approved by the National Security Agency, such as the Sectera Edge, designed by General Dynamics Corp. and L-3 Communications.”

There are threats galore to the average Joe (no, not the Plumber) with regards to mobile and wireless access to information and networks. The article goes on to say, “Even the most secure network isn’t perfect and even the most complex security algorithms can potentially be hacked, said Schneier, and he says no shortage of potential groups ā€” from criminals to the spy agencies of other nations ā€” might try to access a device used by the president of the United States.”

I wish my Facebook friend Pres Barack O the best of success in keeping his emails inaccessible to others and stay “connected”!

The "Connected" White House

Now that officially President Obama is in the oval office, we have for the first time in the history of US government a “connected” President and White House. According to Wired, while the new Prez may not be allowed to keep his Blackberry, he is certainly one of the more tech savvy individuals to occupy the Oval Office. However, “aides say that Obama is determined to be the first President to use a laptop in the Oval Office”. Good for him and for the spirit of what he is trying to establish, which is to at least run the White House like a new age startup…leveraging all the tools for engaging his “customers” (i.e., the people who elected him…even those that didn’t) and listening to them for building and steering his “business” (i.e., the Executive Branch of the US Govt). It’s a far cry from having been run like a business, but we all have high hopes for him.

If in fact he gets his wish to be a “connected” President with his laptop, how will his tech staff secure his information and access to networks, secured or the open Internet? If it somehow gets lost or misplaced, how will they be able to track and locate it for recovery. Those questions certainly wait to be answered and many of us in the tech industry (i.e., geeks) await with bated breath!