...and yet, it does. I could also have titled this post missing the forest for the trees. I had an interesting experience recently (two, actually), that I thought really drove home a point we in the information security field, and in fact in any field that makes rules, often forget. We forget the reason for rules, or we do not adequately express the reasons to those that must follow the rules. The result can be quite frustrating to those required to comply.
I recently spent a week in Costa Rica - a beautiful country, I might add, but also my first experience outside the United States and its immediate neighbors, so there were a few cultural and communication challenges to overcome. One evening, after signing out and calling for a taxi to take me to my hotel, I decided to check my personal email while waiting in the lobby. I had a half hour to wait, and didn't want to sit there bored for a half hour.
As a security professional, I am more aware than most of the risk of identity theft and financial fraud. So some may find it odd that I was an early adopter of, and am a big fan of, online banking. After all, isn’t that how one’s identity is stolen? Isn’t online banking the quickest path to financial fraud? Well, no, and yes.
The interconnectedness of the Internet and the myriad financial transactions that take place across it certainly expose me to risks I would not face in a brick-and-mortar branch. A fraudster no longer has to interact with me face-to-face, and a modern-day bank robber no longer has to go after the physical vault (though they still do, as recent stories from Folsom and Austin show). Instead, he or she can attack the bank electronically, or plant malware on my PC to steal login credentials (it is far less likely for someone to intercept the communication between my PC and the bank, due to encryption technology).
This week, I saw several seemingly-unrelated articles, one (a video) on eavesdropping Bluetooth headsets, one on automotive hacking, and one on attacking the keyless ignition system popular on some newer cars. These topics have been in the news quite a bit in the past year (albeit mostly back page), and it got me to thinking. Our world is evolving. Entertainment, convenience, and transportation devices are increasingly Internet-aware, bringing us ever more convenience, ever more capability.
I love that I can play mp3 music from my DLNA server using my Blu-ray player. I love that I can stream movies from Netflix using my Wii or my Blu-ray player. I love that I can challenge players anywhere in the world to a round of Mario Kart on my networked Wii. I love that my car has tire pressure monitoring sensors to tell me at a glance the exact air pressure in each tire. I love that I can listen to music on my smartphone, and seamlessly take phone calls from my Bluetooth-enabled headset.
This post was first published in 2011, and while many of the most widely-used web sites have adopted practices to minimize the risk from the particular attack described here, the basic principles still apply. And since the Firefox plug-in is now widely known, I don't mind mentioning that the plug-in is Firesheep.
This is my first foray into the blogosphere, but it probably won't be my last. I'll get to my topic in a moment, but first a little about me. I'm a 14-year veteran of Intel IT, with roots in appdev support, system administration, and for most of the last decade, information security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. When not at work, I spend my time raising five rambunctious kids - twins age 10, a 9-year-old, and twins age 7. In amongst that, I teach youth Sunday School, and am the Commander for a Wednesday night Awana club at my church, teaching some 30+ preschool through 6th grade kids. Follow @DSTX_Awana to see what is going on in our club.
